Apple fixes critical flaw exploited in targeted and sophisticated attacks

Apple has finally fixed a high severity memory corruption vulnerability affecting older iOS and iPadOS versions which threat actors have previously exploited to mount highly sophisticated and targeted cyber attacks.

 

The Cupertino technology giant introduced a fix for the memory corruption vulnerability with the release of iOS 26.3 and iPadOS 26.3 security updates on Wednesday. 

 

The fixes formed part of one of Apple’s most comprehensive round of security patches in which it fixed 71 vulnerabilities affecting iOS, iPadOS, macOS, tvOS, watchOS, and visionOS operating systems.

 

According to Apple, the high severity vulnerability in its Dynamic Link Editor, assigned CVE-2026-20700, enables an attacker with memory write capability to execute arbitrary code. 

 

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report," the company said.

 

Apple’s Dynamic Link Editor, or dyld, is an essential system component that loads dynamic libraries into memory and bridges application code with system frameworks. According to SOC Prime, by successfully exploiting vulnerabilities in dyld, an attacker can execute arbitrary code in foundational loader components as part of real-world exploit chains.

 

"Apple is aware of exploitation tied to highly targeted activity, which suggests mature tradecraft rather than opportunistic attacks," the firm said. "Apple also confirms the impact is arbitrary code execution, which means the outcome is not only stability issues, but attacker-controlled instruction execution on the device under the right conditions."

 

The memory corruption issue has been addressed with improved state management, Apple said. The company also issued patches for a couple of vulnerabilities that were also exploited by attackers, along with CVE-2026-20700, as part of an exploit chain in targeted attacks.

 

These vulnerabilities are CVE-2025-14174, an out of bounds memory access flaw in Google Chrome on Mac prior to 143.0.7499.110 that allows a remote attacker to perform out of bounds memory access via a crafted HTML page, and CVE-2025-43529, a use-after-free issue that allows an attacker to maliciously craft web content to eventually execute arbitrary code.  

 

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report," Apple said.