{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28890", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2026-03-03T16:36:03.980Z", "datePublished": "2026-03-25T00:32:51.440Z", "dateUpdated": "2026-03-25T18:07:48.200Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "An app may be able to cause unexpected system termination"}]}], "affected": [{"vendor": "Apple", "product": "Xcode", "versions": [{"version": "0", "status": "affected", "lessThan": "26.4", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 26.4. An app may be able to cause unexpected system termination."}], "references": [{"url": "https://support.apple.com/en-us/126801"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-03-25T00:32:51.440Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-125", "lang": "en", "description": "CWE-125 Out-of-bounds Read"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T17:57:34.890568Z", "id": "CVE-2026-28890", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T18:07:48.200Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-28890", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T17:57:34.890568Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T17:58:04.024Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "Xcode", "versions": [{"status": "affected", "version": "0", "lessThan": "26.4", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/126801"}], "descriptions": [{"lang": "en", "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 26.4. An app may be able to cause unexpected system termination."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "An app may be able to cause unexpected system termination"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-03-25T00:32:51.440Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28890", "state": "PUBLISHED", "dateUpdated": "2026-03-25T18:07:48.200Z", "dateReserved": "2026-03-03T16:36:03.980Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2026-03-25T00:32:51.440Z", "assignerShortName": "apple"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 26.4. An app may be able to cause unexpected system termination."}], "id": "CVE-2026-28890", "lastModified": "2026-03-25T19:16:50.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T01:17:12.480", "references": [{"source": "product-security@apple.com", "url": "https://support.apple.com/en-us/126801"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Xcode", "source": "cna", "vendor": "Apple"}, "product": "xcode", "vendor": "apple"}], "analysis": {"en": {"generated_at": "2026-03-25T20:24:57.479116+00:00", "value": {"mitigation_remediation": ["Upgrade Xcode to version 26.4 or later"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is Apple Xcode. Versions prior to 26.4 are vulnerable, as the fix is only included in 26.4 and later releases. No other Apple products are listed as affected.", "description_and_impact": "The vulnerability involves an out\u2011of\u2011bounds read caused by insufficient bounds checking. This defect can allow an application to read memory beyond its intended bounds, potentially triggering unexpected termination or crashes. The issue is fixed by adding bounds checks and is addressed in Xcode 26.4.", "risk_and_exploitability": "The published CVSS score of 5.5 indicates medium severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not present in the CISA KEV catalog. Because the flaw occurs during code compilation or runtime within Xcode, it is inferred that an attacker could trigger it by compiling malicious code or submitting a crafted project to Xcode, leading to a denial of service. No exploitable conditions beyond using the vulnerable version are specified."}}}}, "created": "2026-03-25T11:36:01.202540+00:00", "title": "Out-of-Bounds Read Vulnerability Allowing Unexpected System Termination in Xcode", "updated": "2026-03-25T21:16:18.300546+00:00", "vendors": ["apple", "apple$PRODUCT$xcode"]}