About the security content of watchOS 26.4

This document describes the security content of watchOS 26.4.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

watchOS 26.4

802.1X

Available for: Apple Watch Series 6 and later

Impact: An attacker in a privileged network position may be able to intercept network traffic

Description: An authentication issue was addressed with improved state management.

CVE-2026-28865: Héloïse Gollier and Mathy Vanhoef (KU Leuven)

Accounts

Available for: Apple Watch Series 6 and later

Impact: An app may be able to access sensitive user data

Description: An authorization issue was addressed with improved state management.

CVE-2026-28877: Rosyna Keller of Totally Not Malicious Software

Audio

Available for: Apple Watch Series 6 and later

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: A use-after-free issue was addressed with improved memory management.

CVE-2026-28879: Justin Cohen of Google

Audio

Available for: Apple Watch Series 6 and later

Impact: An attacker may be able to cause unexpected app termination

Description: A type confusion issue was addressed with improved memory handling.

CVE-2026-28822: Jex Amro

CoreMedia

Available for: Apple Watch Series 6 and later

Impact: Processing an audio stream in a maliciously crafted media file may terminate the process

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2026-20690: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative

CoreUtils

Available for: Apple Watch Series 6 and later

Impact: A user in a privileged network position may be able to cause a denial-of-service

Description: A null pointer dereference was addressed with improved input validation.

CVE-2026-28886: Etienne Charron (Renault) and Victoria Martini (Renault)

Crash Reporter

Available for: Apple Watch Series 6 and later

Impact: An app may be able to enumerate a user's installed apps

Description: A privacy issue was addressed by removing sensitive data.

CVE-2026-28878: Zhongcheng Li from IES Red Team

curl

Available for: Apple Watch Series 6 and later

Impact: An issue existed in curl which may result in unintentionally sending sensitive information via an incorrect connection

Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.

CVE-2025-14524

GeoServices

Available for: Apple Watch Series 6 and later

Impact: An app may be able to access sensitive user data

Description: An information leakage was addressed with additional validation.

CVE-2026-28870: XiguaSec

ImageIO

Available for: Apple Watch Series 6 and later

Impact: Processing a maliciously crafted file may lead to unexpected app termination

Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.

CVE-2025-64505

Kernel

Available for: Apple Watch Series 6 and later

Impact: An app may be able to disclose kernel memory

Description: A logging issue was addressed with improved data redaction.

CVE-2026-28868: 이동하 (Lee Dong Ha of BoB 0xB6)

Kernel

Available for: Apple Watch Series 6 and later

Impact: An app may be able to leak sensitive kernel state

Description: This issue was addressed with improved authentication.

CVE-2026-28867: Jian Lee (@speedyfriend433)

Kernel

Available for: Apple Watch Series 6 and later

Impact: An app may be able to cause unexpected system termination or corrupt kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2026-20698: DARKNAVY (@DarkNavyOrg)

Kernel

Available for: Apple Watch Series 6 and later

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: A use after free issue was addressed with improved memory management.

CVE-2026-20687: Johnny Franks (@zeroxjf)

libxpc

Available for: Apple Watch Series 6 and later

Impact: An app may be able to enumerate a user's installed apps

Description: This issue was addressed with improved checks.

CVE-2026-28882: Ilias Morad (A2nkF) of Voynich Group, Duy Trần (@khanhduytran0), @hugeBlack

Sandbox Profiles

Available for: Apple Watch Series 6 and later

Impact: An app may be able to fingerprint the user

Description: A permissions issue was addressed with additional restrictions.

CVE-2026-28863: Gongyu Ma (@Mezone0)

Security

Available for: Apple Watch Series 6 and later

Impact: A local attacker may gain access to user's Keychain items

Description: This issue was addressed with improved permissions checking.

CVE-2026-28864: Alex Radocea

Siri

Available for: Apple Watch Series 6 and later

Impact: An attacker with physical access to a locked device may be able to view sensitive user information

Description: The issue was addressed with improved authentication.

CVE-2026-28856: an anonymous researcher

UIFoundation

Available for: Apple Watch Series 6 and later

Impact: An app may be able to cause a denial-of-service

Description: A stack overflow was addressed with improved input validation.

CVE-2026-28852: Caspian Tarafdar

WebKit

Available for: Apple Watch Series 6 and later

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

Description: This issue was addressed through improved state management.

CVE-2026-20665: webb

WebKit

Available for: Apple Watch Series 6 and later

Impact: A malicious website may be able to process restricted web content outside the sandbox

Description: The issue was addressed with improved memory handling.

CVE-2026-28859: greenbynox, Arni Hardarson

WebKit Sandboxing

Available for: Apple Watch Series 6 and later

Impact: A maliciously crafted webpage may be able to fingerprint the user

Description: An authorization issue was addressed with improved state management.

CVE-2026-20691: Gongyu Ma (@Mezone0)

Additional recognition

AirPort

We would like to acknowledge Yashar Shahinzadeh, Saman Ebrahimnezhad, Amir Safari, Omid Rezaii for their assistance.

Bluetooth

We would like to acknowledge Hamid Mahmoud for their assistance.

Captive Network

We would like to acknowledge Kun Peeks (@SwayZGl1tZyyy) for their assistance.

CloudAttestation

We would like to acknowledge Suresh Sundaram, Willard Jansen for their assistance.

CoreUI

We would like to acknowledge Peter Malone for their assistance.

Find My

We would like to acknowledge Salemdomain for their assistance.

GPU Drivers

We would like to acknowledge Jian Lee (@speedyfriend433) for their assistance.

ICU

We would like to acknowledge Jian Lee (@speedyfriend433) for their assistance.

Kernel

We would like to acknowledge DARKNAVY (@DarkNavyOrg), Kylian Boulard De Pouqueville From Fuzzinglabs, Patrick Ventuzelo From Fuzzinglabs, Robert Tran, Suresh Sundaram for their assistance.

libarchive

We would like to acknowledge Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs, Arni Hardarson for their assistance.

libc

We would like to acknowledge Vitaly Simonovich for their assistance.

Libnotify

We would like to acknowledge Ilias Morad (@A2nkF_) for their assistance.

LLVM

We would like to acknowledge Nathaniel Oh (@calysteon) for their assistance.

Messages

We would like to acknowledge JZ for their assistance.

MobileInstallation

We would like to acknowledge Gongyu Ma (@Mezone0) for their assistance.

ppp

We would like to acknowledge Dave G. for their assistance.

Quick Look

We would like to acknowledge Wojciech Regula of SecuRing (wojciechregula.blog), an anonymous researcher for their assistance.

Safari

We would like to acknowledge @RenwaX23, Farras Givari, Syarif Muhammad Sajjad, Yair for their assistance.

Shortcuts

We would like to acknowledge Waleed Barakat (@WilDN00B) and Paul Montgomery (@nullevent) for their assistance.

Siri

We would like to acknowledge Anand Mallaya, Tech consultant, Anand Mallaya and Co., Harsh Kirdolia, Hrishikesh Parmar of Self-Employed for their assistance.

Spotlight

We would like to acknowledge Bilge Kaan Mızrak, Claude & Friends: Risk Analytics Research Group, Zack Tickman for their assistance.

Time Zone

We would like to acknowledge Abhay Kailasia (@abhay_kailasia) from Safran Mumbai India for their assistance.

UIKit

We would like to acknowledge AEC, Abhay Kailasia (@abhay_kailasia) from Safran Mumbai India, Bishal Kafle (@whoisbishal.k), Carlos Luna (U.S. Department of the Navy), Dalibor Milanovic, Daren Goodchild, JS De Mattei, Maxwell Garn, Zack Tickman, fuyuu12, incredincomp for their assistance.

Wallet

We would like to acknowledge Zhongcheng Li from IES Red Team of ByteDance for their assistance.

Web Extensions

We would like to acknowledge Carlos Jeurissen, Rob Wu (robwu.nl) for their assistance.

WebKit

We would like to acknowledge Vamshi Paili for their assistance.

WebKit Process Model

We would like to acknowledge Joseph Semaan for their assistance.

Wi-Fi

We would like to acknowledge Kun Peeks (@SwayZGl1tZyyy), an anonymous researcher for their assistance.

Wi-Fi Connectivity

We would like to acknowledge Alex Radocea of Supernetworks, Inc for their assistance.

Widgets

We would like to acknowledge Marcel Voß, Mitul Pranjay, Serok Çelik for their assistance.