Apple fixed first actively exploited zero-day in 2026

Apple fixed an exploited zero-day in iOS, macOS, and other devices that allowed attackers to run code via a memory flaw.

Apple released updates for iOS, iPadOS, macOS, watchOS, tvOS, and visionOS to address an actively exploited zero-day tracked as CVE-2026-20700. The flaw is a memory corruption issue in Apple’s Dynamic Link Editor (dyld) that lets attackers execute arbitrary code on vulnerable devices.

Google’s Threat Analysis Group discovered and reported the issue, a circumstance that suggests the flaw may have been exploited by nation-state actors or commercial spyware vendors in attacks in the wild.

“An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.” reads the advisory published by Apple.

Apple fixed both CVE-2025-14174 and CVE-2025-43529 in December 2025 after reports of active exploitation.

CVE-2025-14174 is an out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110. A remote attacker can exploit the flaw to perform out of bounds memory access via a crafted HTML page.

Google first flagged CVE-2025-14174 (CVSS 8.8), an out-of-bounds memory flaw in ANGLE’s Metal renderer, which could allow code execution. CVE-2025-43529 (CVSS 8.8) is a WebKit use-after-free bug that could also let attackers run code through malicious web content. Updates are available for supported Apple devices and operating systems.

The vulnerability CVE-2025-43529 is a use-after-free flaw in Apple’s WebKit engine, the component responsible for processing web content. When WebKit mishandles memory, it may continue to access a portion of memory after it has already been freed. By delivering specially crafted web content, an attacker can trigger this condition, causing memory corruption. In practice, this can lead to application crashes or, in more serious cases, arbitrary code execution. The issue affects Safari and any Apple or third-party applications that rely on WebKit to parse and render HTML across iOS, iPadOS, macOS, and related platforms.

The IT giant addressed the memory corruption issue CVE-2026-20700 with improved state management.

The vulnerability was addressed with iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later.

The security updates are now available for supported Apple devices across the latest iOS, iPadOS, macOS, watchOS, tvOS, and visionOS versions:

• iOS 26.3 and iPadOS 26.3 – iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
• macOS Tahoe 26.3 – Macs running macOS Tahoe
• tvOS 26.3 – Apple TV HD and Apple TV 4K (all models)
• watchOS 26.3 – Apple Watch Series 6 and later
• visionOS 26.3 – Apple Vision Pro (all models)

IApple also rolled out security updates to fix multiple vulnerabilities in older versions of iOS, iPadOS, macOS, and Safari:

• iOS 18.7.5 and iPadOS 18.7.5 – iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
• macOS Sequoia 15.7.4 – Macs running macOS Sequoia
• macOS Sonoma 14.8.4 – Macs running macOS Sonoma
• Safari 26.3 – Macs running macOS Sonoma and macOS Sequoia

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)