Description
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 26.4. An app may be able to cause unexpected system termination.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Availability Loss (System Crash)
Action: Update Xcode
AI Analysis

Impact

An out-of-bounds read under certain conditions allows an application to trigger an unexpected system termination. The vulnerability occurs when input bounds are not properly validated, leading to a read of memory outside the intended array. This can cause Xcode or the host system to crash, compromising availability but not confidentiality or integrity. The weakness corresponds to CWE-125: Out-of-Bounds Read.

Affected Systems

The issue affects Apple Xcode releases prior to version 26.4. Users running any Xcode installer older than 26.4 are potentially vulnerable. The update introduced improved bounds checking to eliminate the flaw.

Risk and Exploitability

With a CVSS base score of 5.5, the vulnerability is considered medium severity. The EPSS score is below 1%, indicating a low probability of exploitation in the wild. Because the flaw appears to require execution of rogue code within an Xcode project, it is most likely exploitable only by local users with access to the development environment; remote exploitation is not documented. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited real-world impact. The likely attack vector is local execution within Xcode.

Generated by OpenCVE AI on March 26, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Xcode to version 26.4 or later.
  • Restart Xcode after updating to apply the fix.

Generated by OpenCVE AI on March 26, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/126801 cve-icon cve-icon
History

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Read Vulnerability Allowing Unexpected System Termination in Xcode

Thu, 26 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Read Vulnerability Allowing Unexpected System Termination in Xcode

Wed, 25 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple xcode
Vendors & Products Apple
Apple xcode

Wed, 25 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 26.4. An app may be able to cause unexpected system termination.
References

Subscriptions

Apple Xcode
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:24:17.212Z

Reserved: 2026-03-03T16:36:03.980Z

Link: CVE-2026-28890

cve-icon Vulnrichment

Updated: 2026-03-25T17:58:04.024Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T01:17:12.480

Modified: 2026-03-26T18:24:38.557

Link: CVE-2026-28890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:50:26Z

Weaknesses