This document describes the security content of watchOS 26.
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Released September 15, 2025
Available for: Apple Watch Series 9 and later, Apple Watch SE 2nd generation, Apple Watch Ultra (all models)
Impact: An app may be able to cause unexpected system termination
Description: An out-of-bounds access issue was addressed with improved bounds checking.
CVE-2025-43344: an anonymous researcher
Available for: Apple Watch Series 6 and later
Impact: An app may be able to access sensitive user data
Description: A permissions issue was addressed with additional restrictions.
CVE-2025-43317: Mickey Jin (@patch1t)
Available for: Apple Watch Series 6 and later
Impact: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory
Description: An out-of-bounds access issue was addressed with improved bounds checking.
CVE-2025-43346: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative
Available for: Apple Watch Series 6 and later
Impact: An app may be able to access sensitive user data
Description: A logging issue was addressed with improved data redaction.
CVE-2025-43354: Csaba Fitzl (@theevilbit) of Kandji
CVE-2025-43303: Csaba Fitzl (@theevilbit) of Kandji
Available for: Apple Watch Series 6 and later
Impact: Processing a maliciously crafted video file may lead to unexpected app termination
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2025-43349: @zlluny working with Trend Micro Zero Day Initiative
Available for: Apple Watch Series 6 and later
Impact: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory
Description: The issue was addressed with improved input validation.
CVE-2025-43372: 이동하 (Lee Dong Ha) of SSA Lab
Available for: Apple Watch Series 6 and later
Impact: An app may be able to cause unexpected system termination
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2025-43302: Keisuke Hosoda
Available for: Apple Watch Series 6 and later
Impact: An app may be able to access sensitive user data
Description: An authorization issue was addressed with improved state management.
CVE-2025-31255: Csaba Fitzl (@theevilbit) of Kandji
Available for: Apple Watch Series 6 and later
Impact: A UDP server socket bound to a local interface may become bound to all interfaces
Description: A logic issue was addressed with improved state management.
CVE-2025-43359: Viktor Oreshkin
Available for: Apple Watch Series 6 and later
Impact: An app may be able to cause a denial-of-service
Description: A type confusion issue was addressed with improved memory handling.
CVE-2025-43355: Dawuge of Shuffle Team
Available for: Apple Watch Series 6 and later
Impact: An app may be able to break out of its sandbox
Description: A permissions issue was addressed with additional restrictions.
CVE-2025-43329: an anonymous researcher
Available for: Apple Watch Series 6 and later
Impact: An app may be able to access sensitive user data
Description: A parsing issue in the handling of directory paths was addressed with improved path validation.
CVE-2025-43190: Noah Gregory (wts.dev)
Available for: Apple Watch Series 6 and later
Impact: Processing a file may lead to memory corruption
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2025-6965
Available for: Apple Watch Series 6 and later
Impact: An input validation issue was addressed
Description: This issue was addressed by removing the vulnerable code.
CVE-2025-43347: JZ, Seo Hyun-gyu (@wh1te4ever), Luke Roberts (@rookuu)
Available for: Apple Watch Series 6 and later
Impact: A website may be able to access sensor information without user consent
Description: The issue was addressed with improved handling of caches.
WebKit Bugzilla: 296153
CVE-2025-43356: Jaydev Ahire
Available for: Apple Watch Series 6 and later
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 294550
CVE-2025-43272: Big Bear
Available for: Apple Watch Series 6 and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 296490
CVE-2025-43343: an anonymous researcher
Available for: Apple Watch Series 6 and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A correctness issue was addressed with improved checks.
WebKit Bugzilla: 296042
CVE-2025-43342: an anonymous researcher
We would like to acknowledge 要乐奈 for their assistance.
We would like to acknowledge Rosyna Keller of Totally Not Malicious Software for their assistance.
We would like to acknowledge Keisuke Chinone (Iroiro) for their assistance.
We would like to acknowledge Christian Kohlschütter for their assistance.
We would like to acknowledge Yinyi Wu (@_3ndy1) from Dawn Security Lab of JD.com, Inc for their assistance.
We would like to acknowledge Nathaniel Oh (@calysteon) for their assistance.
We would like to acknowledge Csaba Fitzl (@theevilbit) of Kandji for their assistance.
We would like to acknowledge DongJun Kim (@smlijun) and JongSeong Kim (@nevul37) in Enki WhiteHat for their assistance.
We would like to acknowledge Yepeng Pan, Prof. Dr. Christian Rossow for their assistance.
We would like to acknowledge Nathaniel Oh (@calysteon) for their assistance.
We would like to acknowledge Nathaniel Oh (@calysteon) for their assistance.
We would like to acknowledge Nathaniel Oh (@calysteon) for their assistance.
We would like to acknowledge Pyrophoria and Ethan Day, kado for their assistance.
We would like to acknowledge Barrett Lyon for their assistance.
We would like to acknowledge Dora Orak for their assistance.
We would like to acknowledge Rosyna Keller of Totally Not Malicious Software for their assistance.
We would like to acknowledge Wojciech Regula of SecuRing (wojciechregula.blog), 要乐奈 for their assistance.
We would like to acknowledge Bob Lord, Matthew Liang, Mike Cardwell of grepular.com for their assistance.
We would like to acknowledge Aobo Wang (@M4x_1997), Csaba Fitzl (@theevilbit) of Kandji, Noah Gregory (wts.dev), Wojciech Regula of SecuRing (wojciechregula.blog), an anonymous researcher for their assistance.