About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
watchOS 6
Released September 19, 2019
Audio
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved state management.
CVE-2019-8706: Yu Zhou of Ant-Financial Light-Year Security Lab
Entry added October 29, 2019
Audio
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted audio file may disclose restricted memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8850: Anonymous working with Trend Micro Zero Day Initiative
Entry added December 4, 2019
CFNetwork
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
Description: This issue was addressed with improved checks.
CVE-2019-8753: Łukasz Pilorz of Standard Chartered GBS Poland
Entry added October 29, 2019
CoreAudio
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted movie may result in the disclosure of process memory
Description: A memory corruption issue was addressed with improved validation.
CVE-2019-8705: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative
Entry added October 8, 2019
CoreCrypto
Available for: Apple Watch Series 3 and later
Impact: Processing a large input may lead to a denial of service
Description: A denial of service issue was addressed with improved input validation.
CVE-2019-8741: Nicky Mouha of NIST
Entry added October 29, 2019
Foundation
Available for: Apple Watch Series 3 and later
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8746: natashenka and Samuel Groß of Google Project Zero
Entry updated October 29, 2019, updated February 11, 2020
IOUSBDeviceFamily
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8718: Joshua Hill and Sem Voigtländer
Entry added October 29, 2019
Kernel
Available for: Apple Watch Series 3 and later
Impact: An application may be able to gain elevated privileges
Description: This issue was addressed with improved entitlements.
CVE-2019-8703: an anonymous researcher
Entry added March 16, 2021
Kernel
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption vulnerability was addressed with improved locking.
CVE-2019-8740: Mohamed Ghannam (@_simo36)
Entry added October 29, 2019
Kernel
Available for: Apple Watch Series 3 and later
Impact: A local app may be able to read a persistent account identifier
Description: A validation issue was addressed with improved logic.
CVE-2019-8809: Apple
Entry added October 29, 2019
Kernel
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8712: Mohamed Ghannam (@_simo36)
Entry added October 29, 2019
Kernel
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to determine kernel memory layout
Description: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management.
CVE-2019-8744: Zhuo Liang of Qihoo 360 Vulcan Team
Entry added October 29, 2019
Kernel
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved state management.
CVE-2019-8709: derrek (@derrekr6) derrek (@derrekr6)
Entry added October 29, 2019
Kernel
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8717: Jann Horn of Google Project Zero
Entry added October 8, 2019
libxml2
Available for: Apple Watch Series 3 and later
Impact: Multiple issues in libxml2
Description: Multiple memory corruption issues were addressed with improved input validation.
CVE-2019-8749: found by OSS-Fuzz
CVE-2019-8756: found by OSS-Fuzz
Entry added October 8, 2019
mDNSResponder
Available for: Apple Watch Series 3 and later
Impact: An attacker in physical proximity may be able to passively observe device names in AWDL communications
Description: This issue was resolved by replacing device names with a random identifier.
CVE-2019-8799: David Kreitschmann and Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt
Entry added October 29, 2019
UIFoundation
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted text file may lead to arbitrary code execution
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2019-8745: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative
Entry added October 8, 2019
UIFoundation
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2019-8831: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative
Entry added November 18, 2019
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2019-8710: found by OSS-Fuzz
CVE-2019-8728: Junho Jang of LINE Security Team and Hanul Choi of ABLY Corporation
CVE-2019-8734: found by OSS-Fuzz
CVE-2019-8751: Dongzhuo Zhao working with ADLab of Venustech
CVE-2019-8752: Dongzhuo Zhao working with ADLab of Venustech
CVE-2019-8773: found by OSS-Fuzz
Entry added October 29, 2019
Wi-Fi
Available for: Apple Watch Series 3 and later
Impact: A device may be passively tracked by its Wi-Fi MAC address
Description: A user privacy issue was addressed by removing the broadcast MAC address.
CVE-2019-8854: Ta-Lun Yen of UCCU Hacker and FuriousMacTeam of the United States Naval Academy and the Mitre Cooperation
Entry added December 4, 2019
Additional recognition
Audio
We would like to acknowledge riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative for their assistance.
Entry added October 29, 2019
boringssl
We would like to acknowledge Thijs Alkemade (@xnyhps) of Computest for their assistance.
Entry added October 8, 2019
HomeKit
We would like to acknowledge Tian Zhang for their assistance.
Entry added October 29, 2019
Kernel
We would like to acknowledge Brandon Azad of Google Project Zero for their assistance.
Entry added October 29, 2019
mDNSResponder
We would like to acknowledge Gregor Lang of e.solutions GmbH for their assistance.
Entry added October 29, 2019
Profiles
We would like to acknowledge Erik Johnson of Vernon Hills High School, James Seeley (@Code4iOS) of Shriver Job Corps for their assistance.
Entry added October 29, 2019
Safari
We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
Entry added October 29, 2019, updated April 4, 2020
WebKit
We would like to acknowledge MinJeong Kim of Information Security Lab, Chungnam National University, JaeCheol Ryou of the Information Security Lab, Chungnam National University in South Korea, cc working with Trend Micro's Zero Day Initiative for their assistance.
Entry added October 29, 2019