SB2026021193 - Multiple vulnerabilities in Apple tvOS
Published: February 11, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 secuirty vulnerabilities.
1) Memory corruption (CVE-ID: CVE-2026-20654)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in Kernel. A local application can cause unexpected system termination.
2) Buffer overflow (CVE-ID: CVE-2026-20635)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error in WebKit when processing HTML content. A remote attacker can trick the victim into visiting a specially crafted website and crash the browser.
3) Information disclosure (CVE-ID: CVE-2026-20641)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to excessive data output by StoreKit. A local application can identify what other apps a user has installed.
4) Permissions, privileges, and access controls (CVE-ID: CVE-2026-20628)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Sandbox. A local application can break out of its sandbox.
5) Resource exhaustion (CVE-ID: CVE-2025-59375)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger large dynamic memory allocations via a small document and perform a denial of service (DoS) attack.
6) Man-in-the-Middle (MitM) attack (CVE-ID: CVE-2026-20671)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to a logic issue in the OS kernel. A remote attacker on the local network can intercept network traffic.
7) Memory corruption (CVE-ID: CVE-2026-20634)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a boundary error in ImageIO. A remote attacker can trick the victim into opening a specially crafted file and gain access to sensitive information.
8) Input validation error (CVE-ID: CVE-2026-20650)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in Bluetooth. A remote attacker in a privileged network position can send specially crafted Bluetooth packets to the system and perform a denial of service (DoS) attack.
9) Memory corruption (CVE-ID: CVE-2026-20675)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a boundary error in ImageIO. A local user can trick the victim into opening a specially crafted file and perform disclosure of user information.
10) Information disclosure (CVE-ID: CVE-2026-20649)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to excessive data output by the Game Center. A local user can view sensitive user information.
11) Buffer overflow (CVE-ID: CVE-2026-20700)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in dyld. A local user can trigger memory corruption and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild in conjunction with vulnerabilities #VU119833 (CVE-2025-14174) and #VU119902 (CVE-2025-43529).
12) Use-after-free (CVE-ID: CVE-2025-43529)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content. A remote attacker can trick the victim into visiting a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
13) Out-of-bounds write (CVE-ID: CVE-2025-14174)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in ANGLE. A remote attacker can trick the victim into visiting a specially crafted website, trigger an out-of-bounds write and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
14) State issues (CVE-ID: CVE-2026-20617)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a state management issue in CoreServices. A local application can gain root privileges.
15) Memory corruption (CVE-ID: CVE-2026-20609)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in CoreMedia. A remote attacker can trick the victim into opening a specially crafted file and perform a denial-of-service or potentially disclose memory contents.
16) Memory corruption (CVE-ID: CVE-2026-20611)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error in CoreAudio. A local application can trick the victim into opening a specially crafted file and perform unexpected app termination or corrupt process memory.
Remediation
Install update from vendor's website.