The vulnerability arose because Xcode did not validate the length of incoming path strings before using them in its internal processes. As a result, an attacker could supply an excessively long path value that would trigger a crash in one of Xcode's components. The crash leads to a denial of service for the developer or build environment using that instance of Xcode, representing a high likelihood of availability impact. The weakness is a classic input validation flaw (CWE-20).

The issue affects Apple Xcode versions prior to Xcode 26. Apple indicated that the problem is fixed in Xcode 26, so any builds and deployments using Xcode 25 or earlier are potentially vulnerable.

The CVSS score of 7.5 indicates a high severity. The EPSS score of < 1% suggests that, at present, exploitation probability is very low, and the vulnerability is not listed in the CISA KEV catalog. While the description does not specify how an attacker might supply an excessively long path, it is inferred that the attack requires the ability to provide an oversized path that Xcode processes, such as through a maliciously crafted file name or project file. Because the crash occurs only when Xcode processes an overly long path string, the attack requires that an attacker can supply a file path that Xcode will process. In a typical development or build environment, this could be achieved via injection of a malformed file or by manipulating a project file that Xcode reads. Although the surface is limited, patching remains the most reliable mitigant.