SB2026032540 - Multiple vulnerabilities in Apple watchOS
Published: March 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 22 secuirty vulnerabilities.
1) Use after free (CVE-ID: CVE-2026-20687)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in Kernel. A local application can cause unexpected system termination or write kernel memory.
2) Information disclosure (CVE-ID: CVE-2026-20691)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the WebKit Sandboxing component. A remote attacker can gain fingerprint the user.
3) Memory corruption (CVE-ID: CVE-2026-28859)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper input validation in WebKit when processing web content. A remote attacker can trick the victim into visiting a specially crafted website and force the browser into processing restricted web content outside the sandbox.
4) State Issues (CVE-ID: CVE-2026-20665)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a state management issue in WebKit. A remote attacker can trick the victim into visiting a specially crafted website and prevent Content Security Policy from being enforced.
5) Improper input validation (CVE-ID: CVE-2026-28852)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in UIFoundation. A local application can cause a denial-of-service.
6) Improper authentication (CVE-ID: CVE-2026-28856)
The vulnerability allows an attacker to bypass authentication checks.
The vulnerability exists due to improper authentication mechanism in Siri. An attacker with physical access to device can view sensitive user information.
7) Information disclosure (CVE-ID: CVE-2026-28864)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access controls in the Security component when handling local requests. A local user can exploit this to disclose sensitive information.
Exploitation requires local access and no additional privileges beyond those of a standard user.
8) Information disclosure (CVE-ID: CVE-2026-28863)
The vulnerability allows a local application to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in Sandbox Profiles. A local application can fingerprint the user.
9) Improper access control (CVE-ID: CVE-2026-28882)
The vulnerability allows a local user to escalate privileges and execute arbitrary code.
The vulnerability exists due to improper access control in libxpc when handling local application requests. A local user can exploit this to escalate privileges and execute arbitrary code.
Exploitation requires local access and the ability to execute a local application.
10) Memory corruption (CVE-ID: CVE-2026-20698)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error in Kernel. A local application can cause unexpected system termination or corrupt kernel memory.
11) Man-in-the-Middle (MitM) attack (CVE-ID: CVE-2026-28865)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error in the 802.1X protocol implementation when handling authentication requests. A remote attacker on the local network can intercept sensitive information.
12) Improper access control (CVE-ID: CVE-2026-28867)
The vulnerability allows a local user to execute arbitrary code in kernel space.
The vulnerability exists due to improper access control in the kernel when handling local application requests. A local user can exploit this to execute arbitrary code in kernel space.
Successful exploitation may allow the attacker to gain full control over the system.
13) Information exposure through log files (CVE-ID: CVE-2026-28868)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to inclusion of sensitive information into a log file in Kernel. A local application can disclose kernel memory.
14) Out-of-bounds read (CVE-ID: CVE-2025-64505)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the png_do_quantize function when processing PNG files with malformed palette indices. A remote attacker can pass a specially crafted image file to the application, trigger an out-of-bounds read error and read contents of memory on the system.
15) Information disclosure (CVE-ID: CVE-2026-28870)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access controls in GeoServices when handling local application requests. A local user can exploit this to disclose sensitive information.
Access to the local system is required to exploit this vulnerability.
16) Insufficiently protected credentials (CVE-ID: CVE-2025-14524)
The vulnerability allows an attacker to obtain bearer token,
The vulnerability exists due to an error when handling cross-protocol redirects. When an oauth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
17) Improper input validation (CVE-ID: CVE-2026-28878)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in Crash Reporter when handling crash reports. A local user can provide specially crafted input to cause a denial of service.
Exploitation does not require elevated privileges.
18) Improper input validation (CVE-ID: CVE-2026-28886)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in CoreUtils. A local user can cause a denial-of-service.
19) Memory corruption (CVE-ID: CVE-2026-20690)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in CoreMedia. A remote attacker can trick the victim into opening a specially crafted file and perform a denial of service (DoS) attack.
20) Buffer overflow (CVE-ID: CVE-2026-28822)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error in the Audio subsystem. A remote attacker can trick the victim into opening a specially crafted media file, trigger memory corruption and perform a denial of service attack.
21) Use after free (CVE-ID: CVE-2026-28879)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in Audio. A remote attacker can trick the victim into opening a specially crafted file and perform an unexpected process crash.
22) Improper authorization (CVE-ID: CVE-2026-28877)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper authorization checks in the Accounts component. A local application can gain access to sensitive user information.
Remediation
Install update from vendor's website.