Apple Zero-Day CVE-2026-20700: Inside the 'Coruna' Attacks

By Dillip Chowdary • March 18, 2026

The Cybersecurity and Infrastructure Security Agency (CISA) has added a new Apple zero-day, tracked as CVE-2026-20700, to its Known Exploited Vulnerabilities (KEV) catalog. This critical flaw in the dyld (Dynamic Link Editor) is being utilized in a series of highly targeted and sophisticated attacks dubbed 'Coruna'.

The Technical Root: Memory Corruption in dyld

The vulnerability is a memory corruption issue within dyld, the system component responsible for loading and linking libraries when an application starts. By exploiting this flaw, an attacker can achieve arbitrary code execution with system-level privileges before standard security checks like Gatekeeper are fully initialized.

Targeted 'Coruna' Attacks

Security researchers have identified that 'Coruna' attacks specifically target high-value individuals in the finance and defense sectors. The attack vector typically involves a multi-stage payload delivered via a seemingly harmless document, which then triggers the dyld exploit to gain a persistent foothold on the device.

Affected Systems

The vulnerability affects macOS Tahoe, iOS 26, and iPadOS 26. Apple has released emergency updates (macOS 26.3.1 and iOS 26.3.1) to address the issue. Users are urged to update their devices immediately.

CISA Patch Deadline

Federal agencies have been given until March 25, 2026, to patch their systems. Given the active exploitation and the severity of the flaw, private sector organizations should prioritize this update within the next 24 hours.

Mitigation and Detection

Beyond patching, organizations should monitor for unusual process activity originating from dyld or unexpected system-level network connections. EDR solutions should be updated with the latest 'Coruna' IOCs (Indicators of Compromise).