{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28890", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2026-03-03T16:36:03.980Z", "datePublished": "2026-03-25T00:32:51.440Z", "dateUpdated": "2026-04-02T18:24:17.212Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "An app may be able to cause unexpected system termination"}]}], "affected": [{"vendor": "Apple", "product": "Xcode", "versions": [{"version": "0", "status": "affected", "lessThan": "26.4", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 26.4. An app may be able to cause unexpected system termination."}], "references": [{"url": "https://support.apple.com/en-us/126801"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:24:17.212Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-125", "lang": "en", "description": "CWE-125 Out-of-bounds Read"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T17:57:34.890568Z", "id": "CVE-2026-28890", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T18:07:48.200Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-28890", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T17:57:34.890568Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T17:58:04.024Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "Xcode", "versions": [{"status": "affected", "version": "0", "lessThan": "26.4", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/126801"}], "descriptions": [{"lang": "en", "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 26.4. An app may be able to cause unexpected system termination."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "An app may be able to cause unexpected system termination"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:24:17.212Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28890", "state": "PUBLISHED", "dateUpdated": "2026-04-02T18:24:17.212Z", "dateReserved": "2026-03-03T16:36:03.980Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2026-03-25T00:32:51.440Z", "assignerShortName": "apple"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*", "matchCriteriaId": "2F87BC4C-B08E-4A05-86E2-1CD228838DEA", "versionEndExcluding": "26.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 26.4. An app may be able to cause unexpected system termination."}, {"lang": "es", "value": "Se abord\u00f3 una lectura fuera de l\u00edmites con una comprobaci\u00f3n de l\u00edmites mejorada. Este problema se soluciona en Xcode 26.4. Una aplicaci\u00f3n podr\u00eda causar una terminaci\u00f3n inesperada del sistema."}], "id": "CVE-2026-28890", "lastModified": "2026-03-26T18:24:38.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T01:17:12.480", "references": [{"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/en-us/126801"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Xcode", "source": "cna", "vendor": "Apple"}, "product": "xcode", "vendor": "apple"}], "analysis": {"en": {"generated_at": "2026-03-26T19:27:35.248878+00:00", "value": {"mitigation_remediation": ["Update Xcode to version 26.4 or later.", "Restart Xcode after updating to apply the fix."], "summary": {"action": "Update Xcode", "impact": "Availability Loss (System Crash)"}, "threat_synthesis": {"affected_systems": "The issue affects Apple Xcode releases prior to version 26.4. Users running any Xcode installer older than 26.4 are potentially vulnerable. The update introduced improved bounds checking to eliminate the flaw.", "description_and_impact": "An out-of-bounds read under certain conditions allows an application to trigger an unexpected system termination. The vulnerability occurs when input bounds are not properly validated, leading to a read of memory outside the intended array. This can cause Xcode or the host system to crash, compromising availability but not confidentiality or integrity. The weakness corresponds to CWE-125: Out-of-Bounds Read.", "risk_and_exploitability": "With a CVSS base score of 5.5, the vulnerability is considered medium severity. The EPSS score is below 1%, indicating a low probability of exploitation in the wild. Because the flaw appears to require execution of rogue code within an Xcode project, it is most likely exploitable only by local users with access to the development environment; remote exploitation is not documented. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited real-world impact. The likely attack vector is local execution within Xcode."}}}}, "created": "2026-03-25T11:36:01.202540+00:00", "updated": "2026-03-27T09:50:26.522936+00:00", "vendors": ["apple", "apple$PRODUCT$xcode"]}