Affecting all iOS versions, Apple fixes a decade-old "legacy bug" at the core level: It has been exploited in real attacks.
A door that had been open for over a decade was finally truly closed today.
Many people are accustomed to regarding iOS as a "fortress-like" closed system: with unified hardware, a unified system, and a unified update rhythm, coupled with strict code signing and sandbox mechanisms, it seems inherently more secure. However, reality once again reminds us that even the most solid walls may hide hidden dangers in their very foundations.
Recently, Apple fixed a zero-day vulnerability numbered CVE - 2026 - 20700. What makes it special is that it affects not a new feature or a peripheral component, but one of the most core and fundamental infrastructures of iOS: dyld - the dynamic linker. Even more astonishing is that this issue has existed since the iOS 1.0 era, spanning almost the entire history of the iPhone.
An "old vulnerability" affecting all iOS versions
If we use a more intuitive analogy to understand dyld, it's like the "gatekeeper" in the mobile phone system. Before every app can be launched, it must go through its loading and linking process to truly run. It is responsible for loading the dynamic libraries required by the program into memory and completing the necessary security isolation.
And the problem this time lies in:
If an attacker has the ability to write to memory, they may use this vulnerability to execute arbitrary code.
Apple stated in the announcement that this vulnerability was discovered by the Google Threat Analysis Group, and they have received reports confirming that this vulnerability "may have been used in extremely sophisticated attacks targeting specific individuals" and affects systems before iOS 26.
More crucially, Apple admits that this vulnerability has been exploited in the real world (in the wild) and is likely to be part of a complete exploit chain.
How crucial is dyld?
Brian Milbier, the deputy CISO of the security company Huntress, gave a vivid analogy:
"Imagine dyld as the gatekeeper of your phone's door. Every app that wants to run must first pass through it, be assembled, and obtain permission to start."
Normally, this "gatekeeper" verifies the legitimacy of the application and places it in a highly isolated "sandbox" to ensure that it cannot access the user's private data at will.
But the problem with this vulnerability is that attackers can "fool the gatekeeper" before the security check begins and obtain a "master key" in advance - once they get this key, the consequences are imaginable.
What's even more worrying is that this dyld vulnerability does not exist in isolation. In the iOS 26.3 update, Apple also fixed multiple WebKit - related vulnerabilities. Attackers are precisely combining the dyld and WebKit vulnerabilities for exploitation.
Milbier said: "Attackers bypass the browser's (front - door) protection by forging their identities and then use the dyld vulnerability to ultimately gain full control of the entire 'building' - that is, the entire device."
This attack path can achieve "zero - click" or "one - click" intrusion methods. The so - called "zero - click attack" means that users may be invaded just by receiving a malicious message without even clicking on a link or downloading a file. Such attacks usually occur in scenarios targeting high - value targets, such as journalists, politicians, and corporate executives.
Why was it unnoticed after lying dormant for over a decade?
Many developers may wonder: Why was a vulnerability that has existed for over a decade only fixed today?
The answer is quite realistic: Low - level components are often stable, complex, and highly dependent on historical compatibility. dyld belongs to the core path of the system, and any change will affect hundreds or thousands of dependent modules. In security audits, the business logic layer and network layer are more likely to be the focus, while such "system infrastructures" are often underestimated due to their maturity and stability.
More importantly, such vulnerabilities usually do not appear alone but are hidden in the attack chain.
Milbier further pointed out that this highly complex attack mode is highly similar to the vulnerability exploitation technology developed by the commercial surveillance industry. Specifically, it refers to private companies that provide targeted surveillance capabilities for government clients, such as the manufacturers of well - known spyware like Pegasus and Predator.
These companies usually: dig out system - level 0 - day vulnerabilities, combine multiple vulnerabilities to form a complete exploitation chain, or provide finished attack tools or services. Judging from the technical complexity, the dyld + WebKit attack chain is "on a completely different level."
For this reason, he said bluntly that iOS 26.3 finally closed a door that had been open for over a decade.
How about other vulnerabilities?
In this iOS and iPadOS update, Apple also fixed a large number of other security issues, including:
Vulnerabilities that can lead to the acquisition of root privileges
Problems of sensitive user data leakage
Multiple memory security flaws
However, Apple clearly stated that CVE - 2026 - 20700 is the only vulnerability confirmed to have been exploited in the real world in this update.
In addition, Google researchers also mentioned two high - risk vulnerabilities (CVSS score of 8.8) disclosed in December 2025 in the report:
(1) CVE - 2025 - 14174: It exists in the ANGLE graphics engine of Chrome for Mac and is an out - of - bounds memory access vulnerability that can be triggered by a malicious web page.
(2) CVE - 2025 - 43529: A typical use - after - free vulnerability that can lead to code execution.
Although these two vulnerabilities do not directly belong to iOS, from the timeline and technical details, researchers are obviously paying attention to a wider range of attack chains and browser exploitation paths - even on mobile platforms known for their security, memory security issues such as out - of - bounds access, UAF, and arbitrary writing are still the main battlefields of modern offense and defense.
Reference link: https://www.theregister.com/2026/02/12/apple_ios_263/
This article is from the WeChat official account "CSDN". Compiled by Zheng Liyuan. Republished by 36Kr with authorization.