PT-2026-7805 · Apple · Ipados+6
Published
2026-02-11
·
Updated
2026-06-28
·
CVE-2026-20700
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
iOS versions prior to 19.4.1
iPadOS versions prior to 19.4.1
macOS versions prior to 15.7.4
visionOS versions prior to 2.4.1
watchOS versions prior to 26.3
tvOS versions prior to 26.3
Description
A heap-based memory corruption flaw exists in the
dyld (dynamic link editor), the core component responsible for loading and linking applications and libraries. The issue is caused by improper validation of bind info metadata within a loaded binary, where an impossible offset for a symbol binding can trigger a buffer overflow in the dyld cache-parsing logic. This allows an attacker to overwrite critical function pointers and achieve remote code execution with system privileges, effectively bypassing sandboxing and other modern mitigations. The flaw can be triggered via malformed Mach-O binaries or malicious web-content and message previews, potentially enabling zero-click exploitation. This issue has been actively exploited in highly targeted, sophisticated attacks against high-value individuals.Recommendations
Update iOS to version 19.4.1 or 18.7.5 for older devices.
Update iPadOS to version 19.4.1 or 18.7.5 for older devices.
Update macOS Sequoia to version 15.7.4.
Update visionOS to version 2.4.1.
Update watchOS to version 26.3.
Update tvOS to version 26.3.
Enable Lockdown Mode in Settings > Privacy & Security to restrict complex web-content and message previews.
Reset network settings after patching to clear potential persistent DNS hijacks.
Fix
LPE
RCE
DoS
Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apple Macos
Dyld
Ios
Ipados
Tvos
Visionos
Watchos