February 12, 2026

Zero-day? More like zero-chill

Article URL →HN comments →

Apple patches decade-old iOS zero-day, possibly exploited by commercial spyware

Apple shuts a decade-old iPhone hole — users rage over 'bricked' iPads and broken trust

TLDR: Apple fixed a long-hidden iPhone flaw used by advanced spyware, rolled into iOS 26.3. Commenters are split: some feel betrayed and stuck with outdated iPads, others argue it targeted a few people, and confusion over “zero-day” and calls for open source fuel the drama. This matters for privacy and trust.

Apple just slammed a door that’s been secretly open since the very first iPhone, patching a bug that Google says was used in “extremely sophisticated” attacks on specific targets. The fix landed in iOS 26.3, closing a flaw in the phone’s “doorman” (the app loader) that could be chained with browser tricks for near-total takeover. Sounds heroic… until the comments set the place on fire. One user declared their older iPad is “finally a brick,” furious there’s no update for iPadOS 17, while another says they trusted Apple and can’t believe data could be pulled from a locked phone. Ouch.

The term “zero-day” sparked a mini flame war: how can a decade-old bug be called “zero-day”? Cue explainers that it means attackers got in before there was a fix, not that the flaw is new. Meanwhile, someone joked the update was only for “Tahoe” (they meant iOS 18), turning version numbers into memes. The open source vs Apple feud also made a cameo, with cheers that Google’s researchers found the mess — “Open source wins… again.” Others tried calming the pitchforks, reminding everyone the attacks were targeted and not your average hacker next door. But the vibe remains: this patch is huge, and the trust hangover is real. Read Apple’s notes here and Google’s take here.

Key Points

  • Apple patched CVE-2026-20700, a dyld zero-day affecting every iOS version since 1.0, exploited against targeted users.
  • Discovered by Google’s Threat Analysis Group, the flaw allows arbitrary code execution when attackers have memory write capability.
  • Apple says the bug may have been part of an exploit chain; iOS 26.3 also fixed WebKit issues enabling zero/one-click compromise when chained.
  • Google researchers referenced two CVSS 8.8 bugs: CVE-2025-14174 in Chrome’s ANGLE on Mac and CVE-2025-43529 (use-after-free).
  • Apple issued additional iOS/iPadOS fixes for bugs granting root access or exposing data; only CVE-2026-20700 is confirmed exploited in the wild.

Hottest takes

“my ipad pro 10.5 is finally a brick” — cpncrunch
“I trusted apple” — brainzap
“What does ‘zero-day’ even meant?” — j16sdiz

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.