Full Disclosure mailing list archives
APPLE-SA-03-24-2026-10 Xcode 26.4
From: Apple Product Security via Fulldisclosure
Date: Tue, 24 Mar 2026 17:06:07 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-03-24-2026-10 Xcode 26.4 Xcode 26.4 addresses the following issues. Information about the security content is also available at https://support.apple.com/126801 Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. otool Available for: macOS Tahoe 26.2 and later Impact: An app may be able to cause unexpected system termination Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2026-28890: Nathaniel Oh (@calysteon) Simulator Available for: macOS Tahoe 26.2 and later Impact: An app may be able to read arbitrary files as root Description: A permissions issue was addressed with additional restrictions. CVE-2026-28889: Mihai Marin Additional recognition Dev Tools We would like to acknowledge Nathaniel Oh (@calysteon) for their assistance. otool We would like to acknowledge Eddy T for their assistance. Swift We would like to acknowledge Banavath Aravind for their assistance. Xcode 26.4 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "Xcode 26.4". All information is also posted on the Apple Security Releases web site: https://support.apple.com/100100 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEhjkl+zMLNwFiCT1o4Ifiq8DH7PUFAmnDI48ACgkQ4Ifiq8DH 7PUtRg/+K3DU37tAHl9h/wfU7fO6J/I8YhzMGU6tcLK4b/9UG/16/qOwIUVLd9ML mCrEQY3hevwMyA+ki0HRmE0aiNTtGiFlpxNxhsyo3p6QDMXR4xyPjyFFdOcjUfKI kDHTg0NoCZWi63+hpGHhP3emCAr9/rDnOwtbUDrl57UaCc05HPydZ40ggNxz9S2/ wh6ZrXPKlQHDBYQcmRV1TkqcdpyCJqNNIG2N+SBH489easlDXfQf5AS1Go3otDbU MwviuKhN4DDPbcV+SXVJjJR/NQzmWFO5RuFvjkFTh/Z7Xi9HQY1Ytkekwl/LfNDw OdC1aMu7CxKe4ZmC3fcOEOoriVDXVqORm3fmu1h5e9q/aJgJJy/0Rsu6hvec0yqJ SJOv+oVAlQalZF23XYDm71vM0GdFS6jXkjAcDyeUIgK4a1xSNCln0fH/TEW4V+2f plLWU8xirJ2vB+DO8+E6+Kg9WYDr63a8Tr0sNV0J42SwSbk3FLvsStEIgFIcm6HI 9SOyFWp3Jc8bFBmuOjiXFn9IBtkX6FT6TSWdDCIisdeilIcXHLRNa6Iljzn2kGqP LmdGIbsSlggvy9thXIQ/t0ri2CL22aV6vV1Qjl1UW/i/vTtBA75ydroiyUhvo+If dbSuto6QwxoTbULDd+lyHgRmJ4irQcOsJerFDI0k7Ju03n0hvdQ= =YITA -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- APPLE-SA-03-24-2026-10 Xcode 26.4 Apple Product Security via Fulldisclosure (Mar 28)
Facts Only
Actor: Nathaniel Oh (@calysteon), Mihai Marin
Event: Discover security issues in Xcode 26.4
Actions: Reported findings to Apple
Timeline: Unspecified
Locations: Unspecified
Entities: Apple, otool utility, Simulator
Executive Summary
Full Take
Patterns detected: ARC-0024 Ambiguity (The article doesn't specify how these vulnerabilities were discovered or exploited), ARC-0043 Motte-and-Bailey (Apple acknowledges the issues without providing detailed information about their implications).
Steelman: Apple has addressed two security vulnerabilities in Xcode 26.4, as reported by researchers Nathaniel Oh (@calysteon) and Mihai Marin. These vulnerabilities could potentially allow an app to cause unexpected system termination (out-of-bounds read issue in otool) or read arbitrary files as root (permissions problem with Simulator).
Root Cause: The vulnerabilities are likely due to insufficient bounds checking and improper permissions in certain components of Xcode 26.4.
Implications: These security flaws could potentially be exploited by malicious apps to access sensitive data or disrupt system operations.
Bridge Questions: What were the specific attack vectors for these vulnerabilities? How widespread was their potential impact? What measures can developers take to protect their apps from such issues in the future?
Sentinel — Human
This text appears to be human-written based on its stylistic characteristics. However, there is some uncertainty as the content follows structured patterns that could potentially be mimicked by sophisticated AI.
