Fixed:A malicious application may be able to elevate privileges.
WatchOSApple
Update from:watchOS 11.2
Released December 11, 2024
APFS
Available for: Apple Watch Series 6 and later
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed through improved state management.
CVE-2024-54541: Arsenii Kostromin (0x3c3e) and an anonymous researcher
Entry added January 27, 2025
Apple Account
Available for: Apple Watch Series 6 and later
Impact: An attacker in a privileged network position may be able to track a user's activity
Description: The issue was addressed with improved handling of protocols.
CVE-2024-40864: Wojciech Regula of SecuRing (wojciechregula.blog)
Entry added April 2, 2025
AppleMobileFileIntegrity
Available for: Apple Watch Series 6 and later
Impact: A malicious app may be able to access private information
Description: The issue was addressed with improved checks.
CVE-2024-54526: Mickey Jin (@patch1t), Arsenii Kostromin (0x3c3e)
AppleMobileFileIntegrity
Available for: Apple Watch Series 6 and later
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved checks.
CVE-2024-54527: Mickey Jin (@patch1t)
Crash Reporter
Available for: Apple Watch Series 6 and later
Impact: An app may be able to access sensitive user data
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-54513: an anonymous researcher
Face Gallery
Available for: Apple Watch Series 6 and later
Impact: A system binary could be used to fingerprint a user's Apple Account
Description: The issue was addressed by removing the relevant flags.
CVE-2024-54512: Bistrit Dahal
Entry added January 27, 2025
FontParser
Available for: Apple Watch Series 6 and later
Impact: Processing a maliciously crafted font may result in the disclosure of process memory
Description: The issue was addressed with improved checks.
CVE-2024-54486: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative
ICU
Available for: Apple Watch Series 6 and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: An out-of-bounds access issue was addressed with improved bounds checking.
CVE-2024-54478: Gary Kwong
Entry added January 27, 2025
ImageIO
Available for: Apple Watch Series 6 and later
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: A use-after-free issue was addressed with improved memory management.
CVE-2024-54499: Anonymous working with Trend Micro Zero Day Initiative
Entry added January 27, 2025
ImageIO
Available for: Apple Watch Series 6 and later
Impact: Processing a maliciously crafted image may result in disclosure of process memory
Description: The issue was addressed with improved checks.
CVE-2024-54500: Junsung Lee working with Trend Micro Zero Day Initiative
IOMobileFrameBuffer
Available for: Apple Watch Series 6 and later
Impact: An app may be able to corrupt coprocessor memory
Description: The issue was addressed with improved bounds checks.
CVE-2024-54517: Ye Zhang (@VAR10CK) of Baidu Security
CVE-2024-54518: Ye Zhang (@VAR10CK) of Baidu Security
CVE-2024-54522: Ye Zhang (@VAR10CK) of Baidu Security
CVE-2024-54523: Ye Zhang (@VAR10CK) of Baidu Security
Entry added January 27, 2025
Kernel
Available for: Apple Watch Series 6 and later
Impact: An app may be able to break out of its sandbox
Description: The issue was addressed with improved checks.
CVE-2024-54468: an anonymous researcher
Entry added January 27, 2025
Kernel
Available for: Apple Watch Series 6 and later
Impact: An attacker may be able to create a read-only memory mapping that can be written to
Description: A race condition was addressed with additional validation.
CVE-2024-54494: sohybbyk
Kernel
Available for: Apple Watch Series 6 and later
Impact: An app may be able to leak sensitive kernel state
Description: A race condition was addressed with improved locking.
CVE-2024-54510: Joseph Ravichandran (@0xjprx) of MIT CSAIL
libexpat
Available for: Apple Watch Series 6 and later
Impact: A remote attacker may cause an unexpected app termination or arbitrary code execution
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2024-45490
libxpc
Available for: Apple Watch Series 6 and later
Impact: An app may be able to break out of its sandbox
Description: The issue was addressed with improved checks.
CVE-2024-54514: an anonymous researcher
libxpc
Available for: Apple Watch Series 6 and later
Impact: An app may be able to gain elevated privileges
Description: A logic issue was addressed with improved checks.
CVE-2024-44225: 风沐云烟(@binary_fmyy)
MobileBackup
Available for: Apple Watch Series 6 and later
Impact: Restoring a maliciously crafted backup file may lead to modification of protected system files
Description: A logic issue was addressed with improved file handling.
CVE-2024-54525: Andrew James Gonzalez, Dragon Fruit Security (Davis Dai, ORAC 落云, Frank Du cooperative discovery)
Entry added March 17, 2025
Passkeys
Available for: Apple Watch Series 6 and later
Impact: Password autofill may fill in passwords after failing authentication
Description: The issue was addressed with improved checks.
CVE-2024-54530: Abhay Kailasia (@abhay_kailasia) from C-DAC Thiruvananthapuram India, Rakeshkumar Talaviya, Tomomasa Hiraiwa
Entry added January 27, 2025, updated March 17, 2025
QuartzCore
Available for: Apple Watch Series 6 and later
Impact: Processing web content may lead to a denial-of-service
Description: The issue was addressed with improved checks.
CVE-2024-54497: Anonymous working with Trend Micro Zero Day Initiative
Entry added January 27, 2025
Safari Private Browsing
Available for: Apple Watch Series 6 and later
Impact: Private Browsing tabs may be accessed without authentication
Description: An authentication issue was addressed with improved state management.
CVE-2024-54542: Rei (@reizydev), Kenneth Chew
Entry added January 27, 2025
SceneKit
Available for: Apple Watch Series 6 and later
Impact: Processing a maliciously crafted file may lead to a denial of service
Description: The issue was addressed with improved checks.
CVE-2024-54501: Michael DePlante (@izobashi) of Trend Micro's Zero Day Initiative
Vim
Available for: Apple Watch Series 6 and later
Impact: Processing a maliciously crafted file may lead to heap corruption
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2024-45306
Entry added January 27, 2025
WebKit
Available for: Apple Watch Series 6 and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 278497
CVE-2024-54479: Seunghyun Lee
WebKit Bugzilla: 281912
CVE-2024-54502: Brendon Tiszka of Google Project Zero
WebKit
Available for: Apple Watch Series 6 and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 282180
CVE-2024-54508: linjy of HKUS3Lab and chluo of WHUSecLab, Xiangwei Zhang of Tencent Security YUNDING LAB
WebKit
Available for: Apple Watch Series 6 and later
Impact: Processing maliciously crafted web content may lead to memory corruption
Description: A type confusion issue was addressed with improved memory handling.
WebKit Bugzilla: 282661
CVE-2024-54505: Gary Kwong
WebKit
Available for: Apple Watch Series 6 and later
Impact: Processing maliciously crafted web content may lead to memory corruption
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 277967
CVE-2024-54534: Tashita Software Security
WebKit Bugzilla: 282450
CVE-2024-54543: Lukas Bernhard, Gary Kwong, and an anonymous researcher
Entry updated January 27, 2025
