APPLE-SA-09-15-2025-9 watchOS 26

[Apple Product Security via Fulldisclosure <fulldisclosure () seclists org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-09-15-2025-9 watchOS 26

watchOS 26 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/125116.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Apple Neural Engine
Available for: Apple Watch Series 9 and later, Apple Watch SE 2nd
generation, Apple Watch Ultra (all models)
Impact: An app may be able to cause unexpected system termination
Description: An out-of-bounds access issue was addressed with improved
bounds checking.
CVE-2025-43344: an anonymous researcher

AppleMobileFileIntegrity
Available for: Apple Watch Series 6 and later
Impact: An app may be able to access sensitive user data
Description: A permissions issue was addressed with additional
restrictions.
CVE-2025-43317: Mickey Jin (@patch1t)

Audio
Available for: Apple Watch Series 6 and later
Impact: Processing a maliciously crafted media file may lead to
unexpected app termination or corrupt process memory
Description: An out-of-bounds access issue was addressed with improved
bounds checking.
CVE-2025-43346: Hossein Lotfi (@hosselot) of Trend Micro Zero Day
Initiative

Bluetooth
Available for: Apple Watch Series 6 and later
Impact: An app may be able to access sensitive user data
Description: A logging issue was addressed with improved data redaction.
CVE-2025-43354: Csaba Fitzl (@theevilbit) of Kandji
CVE-2025-43303: Csaba Fitzl (@theevilbit) of Kandji

CoreAudio
Available for: Apple Watch Series 6 and later
Impact: Processing a maliciously crafted video file may lead to
unexpected app termination
Description: An out-of-bounds write issue was addressed with improved
input validation.
CVE-2025-43349: @zlluny working with Trend Micro Zero Day Initiative

CoreMedia
Available for: Apple Watch Series 6 and later
Impact: Processing a maliciously crafted media file may lead to
unexpected app termination or corrupt process memory
Description: The issue was addressed with improved input validation.
CVE-2025-43372: 이동하 (Lee Dong Ha) of SSA Lab

IOHIDFamily
Available for: Apple Watch Series 6 and later
Impact: An app may be able to cause unexpected system termination
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2025-43302: Keisuke Hosoda

IOKit
Available for: Apple Watch Series 6 and later
Impact: An app may be able to access sensitive user data
Description: An authorization issue was addressed with improved state
management.
CVE-2025-31255: Csaba Fitzl (@theevilbit) of Kandji

Kernel
Available for: Apple Watch Series 6 and later
Impact: A UDP server socket bound to a local interface may become bound
to all interfaces
Description: A logic issue was addressed with improved state management.
CVE-2025-43359: Viktor Oreshkin

MobileStorageMounter
Available for: Apple Watch Series 6 and later
Impact: An app may be able to cause a denial-of-service
Description: A type confusion issue was addressed with improved memory
handling.
CVE-2025-43355: Dawuge of Shuffle Team

Sandbox
Available for: Apple Watch Series 6 and later
Impact: An app may be able to break out of its sandbox
Description: A permissions issue was addressed with additional
restrictions.
CVE-2025-43329: an anonymous researcher

Spell Check
Available for: Apple Watch Series 6 and later
Impact: An app may be able to access sensitive user data
Description: A parsing issue in the handling of directory paths was
addressed with improved path validation.
CVE-2025-43190: Noah Gregory (wts.dev)

SQLite
Available for: Apple Watch Series 6 and later
Impact: Processing a file may lead to memory corruption
Description: This is a vulnerability in open source code and Apple
Software is among the affected projects. The CVE-ID was assigned by a
third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2025-6965

System
Available for: Apple Watch Series 6 and later
Impact: An input validation issue was addressed
Description: This issue was addressed by removing the vulnerable code.
CVE-2025-43347: JZ, Seo Hyun-gyu (@wh1te4ever), Luke Roberts (@rookuu)

WebKit
Available for: Apple Watch Series 6 and later
Impact: A website may be able to access sensor information without user
consent
Description: The issue was addressed with improved handling of caches.
WebKit Bugzilla: 296153
CVE-2025-43356: Jaydev Ahire

WebKit
Available for: Apple Watch Series 6 and later
Impact: Processing maliciously crafted web content may lead to an
unexpected Safari crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 294550
CVE-2025-43272: Big Bear

WebKit
Available for: Apple Watch Series 6 and later
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 296490
CVE-2025-43343: an anonymous researcher

WebKit
Available for: Apple Watch Series 6 and later
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: A correctness issue was addressed with improved checks.
WebKit Bugzilla: 296042
CVE-2025-43342: an anonymous researcher

Additional recognition

Accounts
We would like to acknowledge 要乐奈 for their assistance.

AuthKit
We would like to acknowledge Rosyna Keller of Totally Not Malicious
Software for their assistance.

Calendar
We would like to acknowledge Keisuke Chinone (Iroiro) for their
assistance.

CFNetwork
We would like to acknowledge Christian Kohlschütter for their
assistance.

CloudKit
We would like to acknowledge Yinyi Wu (@_3ndy1) from Dawn Security Lab
of JD.com, Inc for their assistance.

darwinOS
We would like to acknowledge Nathaniel Oh (@calysteon) for their
assistance.

Foundation
We would like to acknowledge Csaba Fitzl (@theevilbit) of Kandji for
their assistance.

ImageIO
We would like to acknowledge DongJun Kim (@smlijun) and JongSeong Kim
(@nevul37) in Enki WhiteHat for their assistance.

Kernel
We would like to acknowledge Yepeng Pan, Prof. Dr. Christian Rossow for
their assistance.

libc
We would like to acknowledge Nathaniel Oh (@calysteon) for their
assistance.

libpthread
We would like to acknowledge Nathaniel Oh (@calysteon) for their
assistance.

libxml2
We would like to acknowledge Nathaniel Oh (@calysteon) for their
assistance.

Lockdown Mode
We would like to acknowledge Pyrophoria and Ethan Day, kado for their
assistance.

mDNSResponder
We would like to acknowledge Barrett Lyon for their assistance.

MediaRemote
We would like to acknowledge Dora Orak for their assistance.

Sandbox Profiles
We would like to acknowledge Rosyna Keller of Totally Not Malicious
Software for their assistance.

Transparency
We would like to acknowledge Wojciech Regula of SecuRing
(wojciechregula.blog), 要乐奈 for their assistance.

WebKit
We would like to acknowledge Bob Lord, Matthew Liang, Mike Cardwell of
grepular.com for their assistance.

Wi-Fi
We would like to acknowledge Aobo Wang (@M4x_1997), Csaba Fitzl
(@theevilbit) of Kandji, Noah Gregory (wts.dev), Wojciech Regula of
SecuRing (wojciechregula.blog), an anonymous researcher for their
assistance.

Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641

To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".

Alternatively, on your watch, select "My Watch > General > About".

All information is also posted on the Apple Security Releases
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEhjkl+zMLNwFiCT1o4Ifiq8DH7PUFAmjInK0ACgkQ4Ifiq8DH
7PVkhRAAjUggezf+GADKixSNizuJX/IwV+LKGDk1Qwa2BnFRNq/WmWM8QMqh9LnO
di0LKNVyO/1tZ3Tm8i8AVrPEEoLUtmxBgDQn9J6uf4kg8pEETjmzzL1WasiTfL/E
4+s7ynbgLVXuCBDpthYpNYO4+TL+s/zHmSc3V0dipiSuUr67Ay44K63HzO9r5Jkp
uPD9kl9M8Qpdt9L4YxX4Nyq80NblhAqx3vsZPB77V8OmoQ9/pVOms0NxPN+d3R36
JsghqQnScVplwriusL67hCvzin7xhq95fg5Kp2KkTxz5ppAyuGtnq+30vhE7twsj
+TlM4MNvqkOyQXVSrRwVg5yTF2P+QdAMRghBU8TJpV136upKms1TM+AhayGs7vhB
ySxU68Ps6ASAG71JVur50cO0cfl2apXBPz7AFapvBaYgeytCxJmO747VYi37UnEC
Pvza5Rm+ZBRlA27dnzzQOTRPbAMSur1FFbjc8S7iaIh6m0j8zpmYXwpxJvZqQc+Q
aBRX5zJnsc1rCVwaTMq67J6mXtlgiWdS5SjCFhjbmJZHelYd3FlFn/y6Gj6PJ8hE
LVa8O9/6/oP7L8HEOHEBniYFHZgg6eEO2A61FYMgijZ8egrmBArhwEhQ/5CG4h6x
WFa0I03EtqPhJds92rrNLmjDwQ0H22TnaC1IpjOJ5qnuI6DuX/Y=
=xXXb
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/