iTunes Apple iTunes Apple iTunes Software

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Apple iTunes.

Recent Apple iTunes Security Advisories

Advisory Title Published
121328 iTunes 12.13.3 for Windows - Apple Security Content September 12, 2024
HT214099 iTunes 12.13.2 for Windows Security Content May 8, 2024
HT214091 iTunes 12.13.1 for Windows Security Content December 14, 2023
HT213763 iTunes 12.12.9 for Windows Security Content May 23, 2023
HT213259 iTunes 12.12.4 for Windows Security Content May 18, 2022
HT213188 iTunes 12.12.3 for Windows Security Content March 8, 2022
HT212817 iTunes 12.12 for Windows Security Content September 20, 2021
HT212809 iTunes U 3.8.3 Security Content September 15, 2021
HT212609 iTunes 12.11.4 for Windows Security Content August 9, 2021
HT212319 iTunes 12.11.3 for Windows Security Content April 22, 2021

By the Year

In 2025 there have been 0 vulnerabilities in Apple iTunes. Last year, in 2024 iTunes had 5 security vulnerabilities published. Right now, iTunes is on track to have less security vulnerabilities in 2025 than it did last year.




Year Vulnerabilities Average Score
2025 0 0.00
2024 5 7.34
2023 2 7.80
2022 9 8.09
2021 8 6.98
2020 85 7.51
2019 93 8.34
2018 0 0.00

It may take a day or so for new iTunes vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apple iTunes Security Vulnerabilities

A stack buffer overflow was addressed through improved input validation

CVE-2024-44157 5.5 - Medium - October 11, 2024

A stack buffer overflow was addressed through improved input validation. This issue is fixed in Apple TV 1.5.0.152 for Windows, iTunes 12.13.3 for Windows. Parsing a maliciously crafted video file may lead to unexpected system termination.

Memory Corruption

A logic issue was addressed with improved restrictions

CVE-2024-44193 7.8 - High - October 02, 2024

A logic issue was addressed with improved restrictions. This issue is fixed in iTunes 12.13.3 for Windows. A local attacker may be able to elevate their privileges.

The issue was addressed with improved checks

CVE-2024-27793 7.8 - High - May 14, 2024

The issue was addressed with improved checks. This issue is fixed in iTunes 12.13.2 for Windows. Parsing a file may lead to an unexpected app termination or arbitrary code execution.

A logic issue was addressed with improved checks

CVE-2022-48611 7.8 - High - April 26, 2024

A logic issue was addressed with improved checks. This issue is fixed in iTunes 12.12.4 for Windows. A local attacker may be able to elevate their privileges.

A logic issue was addressed with improved checks

CVE-2023-42938 7.8 - High - March 14, 2024

A logic issue was addressed with improved checks. This issue is fixed in iTunes 12.13.1 for Windows. A local attacker may be able to elevate their privileges.

A logic issue was addressed with improved checks

CVE-2023-32351 7.8 - High - June 23, 2023

A logic issue was addressed with improved checks. This issue is fixed in iTunes 12.12.9 for Windows. An app may be able to gain elevated privileges.

A logic issue was addressed with improved checks

CVE-2023-32353 7.8 - High - June 23, 2023

A logic issue was addressed with improved checks. This issue is fixed in iTunes 12.12.9 for Windows. An app may be able to elevate privileges.

A use after free issue was addressed with improved memory management

CVE-2022-26717 8.8 - High - November 01, 2022

A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 15.5, watchOS 8.6, iOS 15.5 and iPadOS 15.5, macOS Monterey 12.4, Safari 15.5, iTunes 12.12.4 for Windows. Processing maliciously crafted web content may lead to arbitrary code execution.

Dangling pointer

A buffer overflow issue was addressed with improved memory handling

CVE-2022-22629 8.8 - High - September 23, 2022

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.3, Safari 15.4, watchOS 8.5, iTunes 12.12.3 for Windows, iOS 15.4 and iPadOS 15.4, tvOS 15.4. Processing maliciously crafted web content may lead to arbitrary code execution.

Memory Corruption

An out-of-bounds read was addressed with improved input validation

CVE-2020-36521 7.1 - High - September 23, 2022

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iCloud for Windows 11.4, iOS 14.0 and iPadOS 14.0, watchOS 7.0, tvOS 14.0, iCloud for Windows 7.21, iTunes for Windows 12.10.9. Processing a maliciously crafted tiff file may lead to a denial-of-service or potentially disclose memory contents.

Out-of-bounds Read

A memory corruption issue was addressed with improved input validation

CVE-2022-26751 7.8 - High - May 26, 2022

A memory corruption issue was addressed with improved input validation. This issue is fixed in iTunes 12.12.4 for Windows, iOS 15.5 and iPadOS 15.5, Security Update 2022-004 Catalina, macOS Big Sur 11.6.6, macOS Monterey 12.4. Processing a maliciously crafted image may lead to arbitrary code execution.

Memory Corruption

A logic issue was addressed with improved state management

CVE-2022-26773 7.1 - High - May 26, 2022

A logic issue was addressed with improved state management. This issue is fixed in iTunes 12.12.4 for Windows. An application may be able to delete files for which it does not have permission.

A logic issue was addressed with improved state management

CVE-2022-26774 7.8 - High - May 26, 2022

A logic issue was addressed with improved state management. This issue is fixed in iTunes 12.12.4 for Windows. A local attacker may be able to elevate their privileges.

An integer overflow issue was addressed with improved input validation

CVE-2022-26711 9.8 - Critical - May 26, 2022

An integer overflow issue was addressed with improved input validation. This issue is fixed in tvOS 15.5, iTunes 12.12.4 for Windows, iOS 15.5 and iPadOS 15.5, watchOS 8.6, macOS Monterey 12.4. A remote attacker may be able to cause unexpected application termination or arbitrary code execution.

Integer Overflow or Wraparound

An out-of-bounds read was addressed with improved input validation

CVE-2022-22611 7.8 - High - March 18, 2022

An out-of-bounds read was addressed with improved input validation. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, iTunes 12.12.3 for Windows, watchOS 8.5, macOS Monterey 12.3. Processing a maliciously crafted image may lead to arbitrary code execution.

Out-of-bounds Read

A memory consumption issue was addressed with improved memory handling

CVE-2022-22612 7.8 - High - March 18, 2022

A memory consumption issue was addressed with improved memory handling. This issue is fixed in tvOS 15.4, iOS 15.4 and iPadOS 15.4, iTunes 12.12.3 for Windows, watchOS 8.5, macOS Monterey 12.3. Processing a maliciously crafted image may lead to heap corruption.

Memory Corruption

A null pointer dereference was addressed with improved validation

CVE-2018-4302 7.8 - High - December 23, 2021

A null pointer dereference was addressed with improved validation. This issue is fixed in macOS High Sierra 10.13, iCloud for Windows 7.0, watchOS 4, iOS 11, iTunes 12.7 for Windows. Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution.

NULL Pointer Dereference

This issue was addressed with improved checks

CVE-2021-30847 7.8 - High - October 19, 2021

This issue was addressed with improved checks. This issue is fixed in watchOS 8, macOS Big Sur 11.6, Security Update 2021-005 Catalina, tvOS 15, iOS 15 and iPadOS 15, iTunes 12.12 for Windows. Processing a maliciously crafted image may lead to arbitrary code execution.

Multiple memory corruption issues were addressed with improved memory handling

CVE-2021-30849 7.8 - High - October 19, 2021

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 14.8 and iPadOS 14.8, watchOS 8, Safari 15, tvOS 15, iOS 15 and iPadOS 15, iTunes 12.12 for Windows. Processing maliciously crafted web content may lead to arbitrary code execution.

Memory Corruption

This issue was addressed with improved checks

CVE-2021-30835 7.8 - High - October 19, 2021

This issue was addressed with improved checks. This issue is fixed in Security Update 2021-005 Catalina, iTunes 12.12 for Windows, tvOS 15, iOS 15 and iPadOS 15, watchOS 8. Processing a maliciously crafted image may lead to arbitrary code execution.

A memory initialization issue was addressed with improved memory handling

CVE-2021-1857 6.5 - Medium - September 08, 2021

A memory initialization issue was addressed with improved memory handling. This issue is fixed in iTunes 12.11.3 for Windows, Security Update 2021-002 Catalina, Security Update 2021-003 Mojave, iCloud for Windows 12.3, macOS Big Sur 11.3, watchOS 7.4, tvOS 14.5, iOS 14.5 and iPadOS 14.5. Processing maliciously crafted web content may disclose sensitive user information.

Improper Initialization

A logic issue was addressed with improved state management

CVE-2021-1811 6.5 - Medium - September 08, 2021

A logic issue was addressed with improved state management. This issue is fixed in iTunes 12.11.3 for Windows, Security Update 2021-002 Catalina, Security Update 2021-003 Mojave, iCloud for Windows 12.3, macOS Big Sur 11.3, watchOS 7.4, tvOS 14.5, iOS 14.5 and iPadOS 14.5. Processing a maliciously crafted font may result in the disclosure of process memory.

An input validation issue was addressed with improved input validation

CVE-2021-1825 6.1 - Medium - September 08, 2021

An input validation issue was addressed with improved input validation. This issue is fixed in iTunes 12.11.3 for Windows, iCloud for Windows 12.3, macOS Big Sur 11.3, Safari 14.1, watchOS 7.4, tvOS 14.5, iOS 14.5 and iPadOS 14.5. Processing maliciously crafted web content may lead to a cross site scripting attack.

XSS

In FreeBSD 12.1-STABLE before r364644, 11.4-STABLE before r364651, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, improper handling in the kernel causes a use-after-free bug by sending large user messages

CVE-2020-7463 5.5 - Medium - March 26, 2021

In FreeBSD 12.1-STABLE before r364644, 11.4-STABLE before r364651, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, improper handling in the kernel causes a use-after-free bug by sending large user messages from multiple threads on the same SCTP socket. The use-after-free situation may result in unintended kernel behaviour including a kernel panic.

Dangling pointer

A use after free issue was addressed with improved memory management

CVE-2020-27918 7.8 - High - December 08, 2020

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 14.2 and iPadOS 14.2, iCloud for Windows 11.5, Safari 14.0.1, tvOS 14.2, iTunes 12.11 for Windows. Processing maliciously crafted web content may lead to arbitrary code execution.

Dangling pointer

An information disclosure issue existed in the transition of program state

CVE-2020-27895 3.3 - Low - December 08, 2020

An information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling. This issue is fixed in iTunes 12.11 for Windows. A malicious application may be able to access local users Apple IDs.

Information Disclosure

An integer overflow was addressed through improved input validation

CVE-2020-27911 7.8 - High - December 08, 2020

An integer overflow was addressed through improved input validation. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 14.2 and iPadOS 14.2, iCloud for Windows 11.5, tvOS 14.2, iTunes 12.11 for Windows. A remote attacker may be able to cause unexpected application termination or arbitrary code execution.

Integer Overflow or Wraparound

An out-of-bounds write was addressed with improved input validation

CVE-2020-27912 7.8 - High - December 08, 2020

An out-of-bounds write was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 14.2 and iPadOS 14.2, iCloud for Windows 11.5, tvOS 14.2, iTunes 12.11 for Windows. Processing a maliciously crafted image may lead to arbitrary code execution.

Memory Corruption

A use after free issue was addressed with improved memory management

CVE-2020-27917 7.8 - High - December 08, 2020

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 14.2 and iPadOS 14.2, iCloud for Windows 11.5, tvOS 14.2, iTunes 12.11 for Windows. Processing maliciously crafted web content may lead to code execution.

Dangling pointer

A type confusion issue was addressed with improved state handling

CVE-2020-27932 7.8 - High - December 08, 2020

A type confusion issue was addressed with improved state handling. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update. A malicious application may be able to execute arbitrary code with kernel privileges.

Object Type Confusion

An information disclosure issue was addressed with improved state management

CVE-2020-9849 6.5 - Medium - December 08, 2020

An information disclosure issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.0, iOS 14.0 and iPadOS 14.0, iTunes for Windows 12.10.9, iCloud for Windows 11.5, tvOS 14.0. A remote attacker may be able to leak memory.

Information Disclosure

A use after free issue was addressed with improved memory management

CVE-2020-9947 8.8 - High - December 08, 2020

A use after free issue was addressed with improved memory management. This issue is fixed in watchOS 7.0, iOS 14.0 and iPadOS 14.0, iTunes for Windows 12.10.9, iCloud for Windows 11.5, tvOS 14.0, Safari 14.0. Processing maliciously crafted web content may lead to arbitrary code execution.

Dangling pointer

A use after free issue was addressed with improved memory management

CVE-2020-9981 7.8 - High - December 08, 2020

A use after free issue was addressed with improved memory management. This issue is fixed in watchOS 7.0, iOS 14.0 and iPadOS 14.0, iTunes for Windows 12.10.9, iCloud for Windows 11.5, tvOS 14.0, macOS Catalina 10.15.7, Security Update 2020-005 High Sierra, Security Update 2020-005 Mojave. Processing a maliciously crafted file may lead to arbitrary code execution.

Dangling pointer

A memory corruption issue was addressed with improved state management

CVE-2020-9999 7.8 - High - December 08, 2020

A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.0.1, iTunes for Windows 12.10.9. Processing a maliciously crafted text file may lead to arbitrary code execution.

Buffer Overflow

A logic issue was addressed with improved state management

CVE-2020-10002 5.5 - Medium - December 08, 2020

A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 14.2 and iPadOS 14.2, iCloud for Windows 11.5, tvOS 14.2, iTunes 12.11 for Windows. A local user may be able to read arbitrary files.

A logic issue was addressed with improved validation

CVE-2020-3864 7.8 - High - October 27, 2020

A logic issue was addressed with improved validation. This issue is fixed in iCloud for Windows 7.17, iTunes 12.10.4 for Windows, iCloud for Windows 10.9.2, tvOS 13.3.1, Safari 13.0.5, iOS 13.3.1 and iPadOS 13.3.1. A DOM object context may not have had a unique security origin.

Origin Validation Error

An out-of-bounds read was addressed with improved input validation

CVE-2020-9961 7.8 - High - October 27, 2020

An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.7, Security Update 2020-005 High Sierra, Security Update 2020-005 Mojave. Processing a maliciously crafted image may lead to arbitrary code execution.

Out-of-bounds Read

A use after free issue was addressed with improved memory management

CVE-2019-8846 8.8 - High - October 27, 2020

A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 13.3, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution.

Dangling pointer

Multiple memory corruption issues were addressed with improved memory handling

CVE-2019-8835 8.8 - High - October 27, 2020

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in tvOS 13.3, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution.

Memory Corruption

Multiple memory corruption issues were addressed with improved memory handling

CVE-2019-8844 8.8 - High - October 27, 2020

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in tvOS 13.3, watchOS 6.1.1, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution.

Memory Corruption

A buffer overflow issue was addressed with improved memory handling

CVE-2020-9919 7.8 - High - October 22, 2020

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

Memory Corruption

An out-of-bounds write issue was addressed with improved bounds checking

CVE-2020-9937 7.8 - High - October 22, 2020

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

Memory Corruption

An out-of-bounds read was addressed with improved input validation

CVE-2020-9938 7.8 - High - October 22, 2020

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

Out-of-bounds Read

An out-of-bounds read was addressed with improved input validation

CVE-2020-9984 7.8 - High - October 22, 2020

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

Out-of-bounds Read

An out-of-bounds read was addressed with improved input validation

CVE-2020-9873 7.8 - High - October 22, 2020

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

Out-of-bounds Read

An out-of-bounds write issue was addressed with improved bounds checking

CVE-2020-9871 7.8 - High - October 22, 2020

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

Memory Corruption

An out-of-bounds write issue was addressed with improved bounds checking

CVE-2020-9872 7.8 - High - October 22, 2020

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

Memory Corruption

An out-of-bounds write issue was addressed with improved bounds checking

CVE-2020-9876 7.8 - High - October 22, 2020

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.

Memory Corruption

An out-of-bounds write issue was addressed with improved bounds checking

CVE-2020-9874 7.8 - High - October 22, 2020

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

Memory Corruption

An integer overflow was addressed through improved input validation

CVE-2020-9875 7.8 - High - October 22, 2020

An integer overflow was addressed through improved input validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing a maliciously crafted image may lead to arbitrary code execution.

Integer Overflow or Wraparound

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Apple iPadOS or by Apple? Click the Watch button to subscribe.

Apple
Vendor

Apple iTunes
Apple iTunes Software

subscribe