For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Released March 27, 2023
AppleMobileFileIntegrity
Available for: Apple Watch Series 4 and later
Impact: A user may gain access to protected parts of the file system
Description: The issue was addressed with improved checks.
CVE-2023-23527: Mickey Jin (@patch4t)
Calendar
Available for: Apple Watch Series 4 and later
Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information
Description: Multiple validation issues were addressed with improved input sanitization.
CVE-2023-27961: Rıza Sabuncu (@rizasabuncu)
CoreCapture
Available for: Apple Watch Series 4 and later
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-28181: Tingting Yin of Tsinghua University
Find My
Available for: Apple Watch Series 4 and later
Impact: An app may be able to read sensitive location information
Description: A privacy issue was addressed with improved private data redaction for log entries.
CVE-2023-23537: an anonymous researcher
FontParser
Available for: Apple Watch Series 4 and later
Impact: Processing a maliciously crafted image may result in disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-27956: Ye Zhang of Baidu Security
Foundation
Available for: Apple Watch Series 4 and later
Impact: Parsing a maliciously crafted plist may lead to an unexpected app termination or arbitrary code execution
Description: An integer overflow was addressed with improved input validation.
CVE-2023-27937: an anonymous researcher
Identity Services
Available for: Apple Watch Series 4 and later
Impact: An app may be able to access information about a user’s contacts
Description: A privacy issue was addressed with improved private data redaction for log entries.
CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security
ImageIO
Available for: Apple Watch Series 4 and later
Impact: Processing a maliciously crafted image may result in disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2023-23535: ryuzaki
ImageIO
Available for: Apple Watch Series 4 and later
Impact: Processing a maliciously crafted image may result in disclosure of process memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz Innovation Lab and jzhu working with Trend Micro Zero Day Initiative
Kernel
Available for: Apple Watch Series 4 and later
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed with improved memory management.
CVE-2023-27969: Adam Doupé of ASU SEFCOM
Kernel
Available for: Apple Watch Series 4 and later
Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2023-27933: sqrtpwn
Podcasts
Available for: Apple Watch Series 4 and later
Impact: An app may be able to access user-sensitive data
Description: The issue was addressed with improved checks.
CVE-2023-27942: Mickey Jin (@patch4t)
Shortcuts
Available for: Apple Watch Series 4 and later
Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user
Description: The issue was addressed with additional permissions checks.
CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies and Wenchao Li and Xiaolong Bai of Alibaba Group
TCC
Available for: Apple Watch Series 4 and later
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by removing the vulnerable code.
CVE-2023-27931: Mickey Jin (@patch4t)
WebKit
Available for: Apple Watch Series 4 and later
Impact: Processing maliciously crafted web content may bypass Same Origin Policy
Description: This issue was addressed with improved state management.
WebKit Bugzilla: 248615
CVE-2023-27932: an anonymous researcher
WebKit
Available for: Apple Watch Series 4 and later
Impact: A website may be able to track sensitive user information
Description: The issue was addressed by removing origin information.
WebKit Bugzilla: 250837
CVE-2023-27954: an anonymous researcher
Activation Lock
We would like to acknowledge Christian Mina for their assistance.
CFNetwork
We would like to acknowledge an anonymous researcher for their assistance.
CoreServices
We would like to acknowledge Mickey Jin (@patch4t) for their assistance.
ImageIO
We would like to acknowledge Meysam Firouzi @R00tkitSMM for their assistance.
We would like to acknowledge Chen Zhang, Fabian Ising of FH Münster University of Applied Sciences, Damian Poddebniak of FH Münster University of Applied Sciences, Tobias Kappert of Münster University of Applied Sciences, Christoph Saatjohann of Münster University of Applied Sciences, Sebast, and Merlin Chlosta of CISPA Helmholtz Center for Information Security for their assistance.
Safari Downloads
We would like to acknowledge Andrew Gonzalez for their assistance.
WebKit
We would like to acknowledge an anonymous researcher for their assistance.