Description
This issue was addressed with improved checks. This issue is fixed in Xcode 26. An app may be able to break out of its sandbox.
Published: 2025-09-15
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Sandbox escape leading to privilege escalation
Action: Immediate Patch
AI Analysis

Impact

This vulnerability involves an improper privilege control flaw in Apple Xcode that could allow a compiled application to break out of its sandbox. The impact is that a malicious or compromised app could gain elevated privileges and execute actions beyond its intended isolation boundaries. The flaw maps to CWE‑284. No additional complexity is noted in the description.

Affected Systems

Apple Xcode is the affected vendor. Versions prior to Xcode 26 are vulnerable, as the fix was applied in Xcode 26. The vulnerability is present in all builds of Xcode that precede version 26. No specific distribution revisions are listed, so every earlier release must be considered at risk.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. The EPSS score of less than 1% suggests the exploit is currently unlikely to be seen in the wild. The vulnerability is not currently in the CISA KEV catalog. The likely attack vector is local, via a malicious or compromised app built with the vulnerable Xcode version, which can then escape its sandbox to affect system resources or other applications.

Generated by OpenCVE AI on April 28, 2026 at 00:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xcode to version 26 or later to apply the rollback fix.
  • Verify that both the Xcode IDE and the associated command line tools are updated to the same version.
  • If an upgrade cannot be performed immediately, restrict the build and deployment environment to limit exposure and monitor system logs for signs of sandbox escape attempts.

Generated by OpenCVE AI on April 28, 2026 at 00:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29336 This issue was addressed with improved checks. This issue is fixed in Xcode 26. An app may be able to break out of its sandbox.
History

Tue, 28 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
Title Potential Sandbox Escape in Apple Xcode via Improper Privilege Control

Mon, 03 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 17 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple xcode
Vendors & Products Apple
Apple xcode

Tue, 16 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Sep 2025 22:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed with improved checks. This issue is fixed in Xcode 26. An app may be able to break out of its sandbox.
References

Subscriptions

Apple Xcode
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:11:08.283Z

Reserved: 2025-04-16T15:24:37.114Z

Link: CVE-2025-43371

cve-icon Vulnrichment

Updated: 2025-11-03T18:12:47.005Z

cve-icon NVD

Status : Modified

Published: 2025-09-15T23:15:38.770

Modified: 2025-11-03T19:16:05.363

Link: CVE-2025-43371

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T00:30:15Z

Weaknesses