Zero-Day Vulnerability Present Since iOS 1 Serves as Important Security Reminder

While it’s not all that uncommon for zero-day vulnerabilities to be discovered in major operating systems, it is rare to hear about one that’s been present from the very beginning and only officially being addressed nearly 20 years later.

Apple recently announced that iOS 26 removed just one such zero-day vulnerability that has been present since Steve Jobs first introduced the iPhone in San Francisco so many years ago. The incident serves as a reminder that even the most advanced tech companies may have serious holes present in their products that they are not aware of, but that advanced threat actors and spyware vendors have come across and are actively exploiting.

“New” Apple CVE has been present since 2007

Apple did not address the recently announced CVE-2026-20700 with patching until late 2025, but it had apparently been underneath the radar since the earliest commercial version of iOS launched. What’s worse, it does appear to have been actively exploited in the wild for some unspecified amount of time.

Apple also did not specify exactly who was making use of the zero-day vulnerability, but research from Google’s Threat Analysis Group (the original discoverers) indicates that it is known to have been exploited as part of a “very sophisticated” attack chain involving WebKit vulnerabilities that were disclosed and patched late last year. The researchers did not get into great technical detail but do indicate this vulnerability could be exploited via one-click or even zero-click methods.

All versions of iOS prior to 26 are potentially exploitable by the zero-day vulnerability at this point, but it is possible Apple may issue further security updates for older versions (as they do sometimes for critical issues). The technique was not likely known or available to the average hacker, however. It was most likely one of the techniques closely guarded by one of the major international spyware providers, such as NSO Group or Intellexa.

Zero-day vulnerability also potentially impacts other Apple products

At fault is Apple’s dynamic linker “dyld”, which is not only a key part of iOS but of many of Apple’s other operating systems. It is still unclear if there is a known attack chain exploit that functions outside of iOS, however. What is known is that the attackers must gain access to memory write capability by some other means to take advantage of this zero-day vulnerability. Precautionary patches have been issued for macOS Tahoe, tvOS, watchOS, and visionOS.

What is known is that the average Apple customer probably does not have to worry about being breached by this particular issue, despite it lurking in the shadows since 2007. The Apple report indicates whoever was using the zero-day vulnerability in the wild limited deployment of it to “specific targeted individuals”, further suggesting either a spyware vendor or an advanced state-backed espionage group.

Apple reported a new zero-day vulnerability seven times in 2025. This one is the first of 2026, but the most serious in some time (given a CVE score of 9.8). At the moment, to be certain the zero-day vulnerability is removed users will need to be updated to iOS 26.3; that excludes iPhone and iPad models made prior to 2019, as the latest version of iOS requires the A13 Bionic Chip not introduced until the iPhone 11.