The Forever Day: How an 18-Year-Old iOS Bug Became Spyware Gold
CVE-2026-20700 has been silently waiting in every iPhone since 2007. Commercial spyware vendors found it first.
The Clock That Never Stopped
Picture this: The year is 2007. Steve Jobs walks onto a stage in San Francisco and introduces a revolutionary device that will change the world. “An iPod, a phone, and an internet communicator,” he says, revealing the first iPhone. The crowd erupts.
But hidden in the millions of lines of code powering that revolutionary device was a flaw. A tiny crack in the foundation. A vulnerability that would remain invisible, untouched, and unfixed for the next 18 years and 8 months.
On February 11, 2026, Apple quietly released iOS 26.3. Buried in the security notes was a single line that would send shockwaves through the security community:
“A memory corruption issue was addressed with improved state management.”
The vulnerability, designated CVE-2026-20700, had been present in every single version of iOS ever released—from iOS 1.0 on the original iPhone to iOS 26.2 on the latest iPhone 17 Pro Max. It affected iPadOS, macOS, watchOS, tvOS, and even visionOS.
But here’s the kicker: Apple wasn’t the one who found it.
Google’s Threat Analysis Group—the elite security team that hunts government hackers and commercial spyware vendors—discovered the flaw while tracking an “extremely sophisticated attack against specific targeted individuals.”
In the shadowy world of zero-day vulnerabilities, that phrase is industry shorthand for one thing: spyware.
What Is a “Forever Day”?
In cybersecurity, we talk about “zero-days”—vulnerabilities that are exploited before developers have zero days to fix them. But CVE-2026-20700 deserves its own category. Security researchers are calling it a “forever day”—a vulnerability so old, so fundamental to the system, that it has been hiding in plain sight for nearly two decades.
During those 18 years, this flaw survived:
- 26 major iOS versions
- Thousands of security updates
- Multiple complete architecture changes
- The transition to 64-bit
- Introduction of ASLR, stack canaries, and PAC
- Apple’s enhanced security reviews post-Pegasus scandals
- Bug bounty payouts totaling over $35 million to researchers
And yet, the bug remained. Waiting. Until someone found it.
Inside dyld: Apple’s Achilles Heel
dyld stands for Dynamic Link Editor. It’s one of the most fundamental components of any Apple operating system. Every single time you launch an app—whether it’s Safari, Instagram, your banking app, or a game—dyld runs first.
As Brian Milbier, deputy CISO at Huntress, explained:
“Think of dyld as the doorman for your phone. Every single app that wants to run must first pass through this doorman. This vulnerability allows an attacker to trick the doorman into handing over a master key before security checks even begin.”
dyld runs with extremely high privileges, before most security protections are applied. A vulnerability here isn’t just a hole in the wall—it’s a skeleton key to the entire building.
The Exploit Chain: Three Vulnerabilities, Total Compromise
CVE-2026-20700 wasn’t exploited in isolation. Google TAG’s investigation revealed that the attackers used three vulnerabilities in sequence:
| CVE | CVSS | Component | Type |
|---|---|---|---|
| CVE-2025-14174 | 8.8 | ANGLE (Metal renderer) | Out-of-bounds memory access |
| CVE-2025-43529 | 8.8 | WebKit | Use-after-free |
| CVE-2026-20700 | 7.8 | dyld | Memory corruption |
Stage 1: Initial Access via WebKit—triggered by simply visiting a malicious webpage or receiving a specially crafted iMessage. Zero-click.
Stage 2: The attacker targets dyld, corrupting its state to load malicious code before security checks.
Stage 3: Full device control—read all files, access keychain, monitor traffic, activate microphone/camera, track location, read encrypted messages.
The Million-Dollar Market
Understanding why CVE-2026-20700 becomes “spyware gold” requires understanding the economics:
Apple’s Bug Bounty: Up to $2-5 million for a zero-click kernel exploit.
Gray Market (Zerodium): iOS full chain zero-click = $2.5 million+
Commercial Spyware License (Pegasus): $500,000 to $50 million per contract.
For a zero-click iOS chain that works from iOS 1.0 through iOS 26.2? The price would be astronomical—potentially $5-10 million or more.
Are You Compromised?
The terrifying reality: victims usually don’t know they’re infected. There are no slow performance symptoms, no pop-ups, no obvious signs.
Use Amnesty International’s Mobile Verification Toolkit (MVT) for forensic analysis:
pip3 install mvt
mvt-ios check-backup --output /path/to/output /path/to/encrypted/backup
How to Protect Yourself Right Now
Update Immediately
| Device | Update To |
|---|---|
| iPhone | iOS 26.3 |
| iPad | iPadOS 26.3 |
| Mac | macOS Tahoe 26.3 |
| Apple Watch | watchOS 26.3 |
CISA has added CVE-2026-20700 to its Known Exploited Vulnerabilities catalog with a mandatory remediation deadline of March 5, 2026 for federal agencies.
Enable Lockdown Mode (High-Risk Users)
Settings → Privacy & Security → Lockdown Mode → Turn On
Lockdown Mode significantly reduces your attack surface by blocking most message attachments, disabling link previews, blocking unknown FaceTime calls, and restricting web features.
Additional Steps
- Enable Automatic Updates
- Be skeptical of links from unknown senders
- Use Signal for sensitive communications
- Maintain encrypted backups
The Bottom Line
CVE-2026-20700 is a wake-up call. Somewhere in Apple’s codebase right now, other vulnerabilities are waiting. Some might be months old. Some might be decades old. Some might already be in the hands of spyware vendors.
Update your devices. Enable protections. Stay vigilant.
Quick Reference: CVE-2026-20700
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-20700 |
| CVSS Score | 7.8 (High) |
| Affected Versions | iOS 1.0 through iOS 26.2 (18+ years) |
| Patch | iOS 26.3, iPadOS 26.3, macOS Tahoe 26.3 |
| Discovered By | Google Threat Analysis Group |
| CISA KEV | Yes (deadline March 5, 2026) |
