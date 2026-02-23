Last week, Apple issued an important software update for iPhones on iOS 26. While the latest version included the usual vague “bug fixes and updates,” it also contained a critical patch for a zero-day vulnerability that has already been exploited by hackers on targeted devices. To put it mildly, you need to update your iPhone now, or your device and private data are all at risk.

What is a zero-day vulnerability?

In case you’ve never heard the phrase before, zero-day vulnerabilities are unknown security threats within a device’s software that exist outside of the developer’s purview. These can pop for a variety of reasons, including flaws in the source code, improper input validation that processes malicious data, and simple developer oversight.

An extremely sophisticated attack against specific targeted individuals.

What’s worse, these exploits are often found first by hackers and used to inject malicious code into targeted devices to bypass security protocols and gain access to either steal private data or install malware to spy on users.

The thing that makes zero-day vulnerabilities so dangerous is that hackers can use them to access devices for weeks or even months before developers isolate the problem and issue a fix.

iOS 26.3 patches iPhone’s latest major security hole

Apple sent an over-the-air update to iPhones on iOS 26 last week. Bringing the version number to 26.3, the latest release includes a fix for CVE-2026-20700, a zero-day threat that was identified by Google’s Threat Analysis Group.

In case you’re wondering how Google found a security flaw in an Apple product, TAG is a team of researchers who regularly scour first-party and third-party products in search of security flaws and cyber threats. They specialize in thwarting “government-backed attacks,” suggesting that CVE-2026-20700 likely has government ties — either foreign or domestic — though neither Apple nor Google assigned blame to a particular group.

Once discovered, TAG informed Apple of the vulnerability, giving the company valuable time to patch the hole before informing the public and letting hackers know that the loophole was closed.

JIRAROJ PRADITCHAROENKUL

As part of the change log that was released alongside iOS 26.3, Apple admitted, “An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.”

In other words, the exploit exists and it has already been leveraged against a small subset of users.

How to upgrade to iOS 26.3

To patch this zero-day vulnerability on your devices, you should update to iOS 26.3 immediately. You can download the update by following these directions:

Open the Settings app on your iPhone.

Tap “General.”

Select the second option called “Software Update.”

At the bottom of the next screen, choose “Update Now.”

Screenshots by Zach Laidlaw

Note that iPhones aren’t the only Apple devices at risk. You should also update your iPad to iPadOS 26.3, if it’s available.

For those who are still on an older version of iOS, Apple has not indicated a fix for the zero-day issue at this time. That either means the zero-day threat isn’t as invasive on older software, or a fix hasn’t been implemented yet. Either way, users on older iOS versions should update to iOS 18.7.5 for the latest security fixes.

More features in iOS 26.3

In addition to a major security patch, iOS 26.3 includes several additional features, such as the ability to prevent carrier networks from seeing the precise location of select iPhones with an Apple C-series modem (right now, that only includes iPhone Air and iPhone 16e), new switch-to-Android tools, and a snazzy live weather wallpaper. This update is free and available now to iPhones 11 and up.