Apple Releases Critical iOS 26.3 Security Update to Address Zero-Day Vulnerability

Apple Releases Critical iOS 26.3 Security Update to Address Zero-Day Vulnerability

February 13, 2026 — Apple has issued emergency security updates across its product ecosystem, addressing a critical zero-day vulnerability that was actively exploited in highly sophisticated targeted attacks.

The updates, released on February 11, 2026, include iOS 26.3, iPadOS 26.3, macOS Tahoe 26.3, and corresponding versions for watchOS, tvOS, and visionOS.

Critical Zero-Day Vulnerability Exploited in the Wild

The most significant security flaw addressed in this update is CVE-2026-20700, a memory corruption vulnerability in dyld (Dynamic Link Editor), a core system component responsible for loading applications and libraries on Apple devices. This vulnerability allows attackers with memory write capability to execute arbitrary code on compromised devices.

Apple confirmed that it is “aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.” The vulnerability was discovered and reported by Google’s Threat Analysis Group (TAG), a specialized team known for tracking government-backed hacking groups and commercial spyware vendors.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20700 to its Known Exploited Vulnerabilities catalog, marking it as the first Apple zero-day flagged by CISA in 2026.

Connection to Previous WebKit Vulnerabilities

According to Apple’s security advisory, CVE-2026-20700 appears to be part of a larger exploit chain. The company noted that two previously patched WebKit vulnerabilities — CVE-2025-14174 and CVE-2025-43529 — “were also issued in response to this report,” suggesting that attackers combined multiple security flaws to bypass Apple’s defenses.

These WebKit vulnerabilities were patched in December 2025 and were also exploited in targeted attacks against iOS users. CVE-2025-14174 is an out-of-bounds memory access flaw in Google’s ANGLE graphics engine that affects both Chrome and Safari, while CVE-2025-43529 is a use-after-free vulnerability that can lead to arbitrary code execution when processing malicious web content.

Security researchers believe the exploit chain likely involved visiting a malicious website that triggered the WebKit vulnerabilities, followed by exploitation of the dyld flaw to achieve deeper system compromise — a pattern consistent with commercial spyware deployment.

iOS 26.3 Release Candidate Hits Developers: Key Fixes and Lingering Mirroring Issues. Apple today officially seeded the Release Candidate (RC) version of iOS 26.3 to registered developers. As the final bridge between testing and the public launch, the RC build suggests that the official rollout for all users is imminent, likely scheduled for next week.

Comprehensive Security Fixes

Beyond the actively exploited zero-day, Apple’s iOS 26.3 and iPadOS 26.3 updates address approximately 37 to 39 security vulnerabilities across multiple system components. These fixes include:

Kernel vulnerabilities that could allow malicious apps to gain root privileges
Accessibility and Photos flaws that could expose sensitive user information on locked devices
Bluetooth vulnerabilities enabling denial-of-service attacks via malicious packets
Call History and Messages issues that could leak caller ID information
Game Center, Shortcuts, and Spotlight security improvements
Remote arbitrary file write vulnerabilities
Various memory corruption and process handling issues

While CVE-2026-20700 is the only vulnerability Apple explicitly confirmed as exploited in the wild, security experts warn that once vulnerabilities are publicly disclosed, even previously unexploited flaws can become targets for attackers.

New Features in iOS 26.3

Despite the heavy focus on security, iOS 26.3 includes several notable features:

Transfer to Android Tool: In a collaboration with Google, Apple has introduced a new “Transfer to Android” feature in Settings that allows iPhone users to wirelessly transfer photos, messages, notes, apps, passwords, mail accounts, voice memos, and WhatsApp data to Android devices. Google is implementing a similar feature for Android-to-iOS transfers.

Privacy Enhancement: A new “Limit Precise Location” toggle in Cellular Data Options restricts how much location information cellular networks can determine, limiting tracking to neighborhood-level rather than specific addresses.

Weather Wallpapers: Additional pre-built wallpapers in the Weather category that display live weather conditions for the user’s current location.

European Digital Markets Act Compliance: iOS 26.3 includes proximity pairing features for third-party accessories and new NFC capabilities for initiating connected devices without an iPhone present, helping Apple comply with EU interoperability requirements.

Targeted Nature of Attacks

Security experts note that the language Apple uses — “extremely sophisticated attack against specific targeted individuals” — is consistent with spyware campaigns that target high-value individuals such as journalists, activists, political dissidents, and public figures. The involvement of Google’s Threat Analysis Group, which specializes in tracking government-backed hacking operations, further supports this assessment.

Brian Milbier, deputy CISO at Huntress, emphasized the significance of the dyld vulnerability, noting that this component plays a critical role in iOS security. “These types of zero-day exploits affecting core system components are particularly dangerous because they can provide attackers with deep system access,” Milbier stated.

Immediate Action Required

Apple strongly recommends that all users update their devices immediately. The update is available for:

iPhone 11 and later
iPad Pro 12.9-inch (3rd generation) and later
iPad Pro 11-inch (1st generation) and later
iPad Air (3rd generation) and later
iPad (8th generation) and later
iPad mini (5th generation) and later

Users can update manually by navigating to Settings > General > Software Update. Most devices are configured to install security updates automatically.

For users running older operating system branches, Apple has also released security updates including iOS 18.7.5, iPadOS 18.7.5, macOS Sequoia 15.7.4, and macOS Sonoma 14.8.4, which contain the same critical security fixes.

Looking Ahead

According to Bloomberg’s Mark Gurman, Apple is expected to begin the iOS 26.4 beta cycle around February 23, 2026. Given the critical nature of the vulnerabilities addressed in iOS 26.3, security experts emphasize that users should not delay installation, even if they typically prefer to wait for later releases.

The discovery and exploitation of CVE-2026-20700 underscores the ongoing challenge of mobile device security in an era where sophisticated threat actors increasingly target core operating system components to conduct surveillance and espionage operations.