Apple Xcode

Buffer Overflow in Xcode<26.1 Enables Network DoS by Privileged User
CVE-2025-43504 4.9 - Medium - November 04, 2025

A buffer overflow was addressed with improved bounds checking. This issue is fixed in Xcode 26.1. A user in a privileged network position may be able to cause a denial-of-service.

Buffer Overflow

Xcode 26.0 OOB Write in Input Validation - Fixed 26.1
CVE-2025-43505 8.8 - High - November 04, 2025

An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in Xcode 26.1. Processing a maliciously crafted file may lead to heap corruption.

Memory Corruption

Apple Xcode Crash via Large Path Value
CVE-2025-43375 7.5 - High - September 15, 2025

The issue was addressed with improved checks. This issue is fixed in Xcode 26. Processing an overly large path value may crash a process.

Improper Input Validation

Xcode 26: Sandbox Escape via Improper File Access Checks
CVE-2025-43263 7.1 - High - September 15, 2025

The issue was addressed with improved checks. This issue is fixed in Xcode 26. An app may be able to read and write files outside of its sandbox.

Authorization

Apple Xcode 26 sandbox escape vulnerability
CVE-2025-43371 8.2 - High - September 15, 2025

This issue was addressed with improved checks. This issue is fixed in Xcode 26. An app may be able to break out of its sandbox.

Authorization

Xcode 26 Path Validation Failure: Large Path Crash (CVE-2025-43370)
CVE-2025-43370 4 - Medium - September 15, 2025

A path handling issue was addressed with improved validation. This issue is fixed in Xcode 26. Processing an overly large path value may crash a process.

Classic Buffer Overflow

Git config CRLF issue allows unintended submodule hook exec (v2.43+)
CVE-2025-48384 8.1 - High - July 08, 2025

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Interpretation Conflict

Apple Xcode Pre-16.3 Vulnerable Arbitrary File Overwrite via State Management
CVE-2025-30441 5.5 - Medium - March 31, 2025

This issue was addressed through improved state management. This issue is fixed in Xcode 16.3. An app may be able to overwrite arbitrary files.

Memory Corruption

Xcode 16.3 Patching: App-Exfil Private Data via Vulnerability
CVE-2025-24226 5.5 - Medium - March 31, 2025

The issue was addressed with improved checks. This issue is fixed in Xcode 16.3. A malicious app may be able to access private information.

Information Disclosure

Apple Xcode Permissions Inheritance Vulnerability CVE-2024-44228
CVE-2024-44228 7.5 - High - October 28, 2024

This issue was addressed with improved permissions checking. This issue is fixed in Xcode 16. An app may be able to inherit Xcode permissions and access user data.

Apple Xcode 16: Apple ID Disclosure via Sensitive Data Exposure
CVE-2024-40862 7.5 - High - September 17, 2024

A privacy issue was addressed by removing sensitive data. This issue is fixed in Xcode 16. An attacker may be able to determine the Apple ID of the owner of the computer.

Information Disclosure

Apple Xcode Keychain Access via Hardened Runtime Exploit (CVE-2024-44162)
CVE-2024-44162 7.8 - High - September 17, 2024

This issue was addressed by enabling hardened runtime. This issue is fixed in Xcode 16. A malicious application may gain access to a user's Keychain items.

AuthZ

Apple iOS Pre17.7 Unauthorized Bluetooth Access via State Management
CVE-2024-44191 5.5 - Medium - September 17, 2024

This issue was addressed through improved state management. This issue is fixed in iOS 17.7 and iPadOS 17.7, Xcode 16, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. An app may gain unauthorized access to Bluetooth.

Git <2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, 2.39.4 submodule writeto-.git/ during clone
CVE-2024-32002 9.1 - Critical - May 14, 2024

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.

Directory traversal

CVE-2024-23298: Logic Issue Resolved via Improved State Management
CVE-2024-23298 4.3 - Medium - March 15, 2024

A logic issue was addressed with improved state management.

Apple Xcode Code Injection via Hardened Runtime Bypass CVE-2023-32383
CVE-2023-32383 7.8 - High - January 10, 2024

This issue was addressed by forcing hardened runtime on the affected binaries at the system level. This issue is fixed in macOS Monterey 12.6.6, macOS Big Sur 11.7.7, macOS Ventura 13.4. An app may be able to inject code into sensitive binaries bundled with Xcode.

The issue was addressed with improved memory handling
CVE-2023-40391 - September 27, 2023

The issue was addressed with improved memory handling. This issue is fixed in tvOS 17, iOS 17 and iPadOS 17, macOS Sonoma 14, Xcode 15. An app may be able to disclose kernel memory.

This issue was addressed by enabling hardened runtime
CVE-2023-40435 - September 27, 2023

This issue was addressed by enabling hardened runtime. This issue is fixed in Xcode 15. An app may be able to access App Store credentials.

This issue was addressed with improved checks
CVE-2023-32396 7.8 - High - September 27, 2023

This issue was addressed with improved checks. This issue is fixed in Xcode 15, tvOS 17, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. An app may be able to gain elevated privileges.

The issue was addressed with improved checks
CVE-2022-32920 5.5 - Medium - September 06, 2023

The issue was addressed with improved checks. This issue is fixed in Xcode 14.0. Parsing a file may lead to disclosure of user information.

This issue was addressed with improved entitlements
CVE-2023-27945 6.3 - Medium - May 08, 2023

This issue was addressed with improved entitlements. This issue is fixed in Xcode 14.3, macOS Big Sur 11.7.7, macOS Monterey 12.6.6. A sandboxed app may be able to collect system logs.

The issue was addressed with improved memory handling
CVE-2023-27967 8.6 - High - May 08, 2023

The issue was addressed with improved memory handling. This issue is fixed in Xcode 14.3. An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges.

An injection issue was addressed with improved input validation
CVE-2022-42797 7.8 - High - February 27, 2023

An injection issue was addressed with improved input validation. This issue is fixed in Xcode 14.1. An app may be able to gain root privileges.

Injection

Git is an open source, scalable, distributed revision control system
CVE-2022-39260 8.8 - High - October 19, 2022

Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.

Memory Corruption

Git is an open source, scalable, distributed revision control system
CVE-2022-39253 5.5 - Medium - October 19, 2022

Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.

insecure temporary file

Git is a distributed revision control system
CVE-2022-29187 7.8 - High - July 12, 2022

Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.

DLL preloading

This issue was addressed with improved checks
CVE-2022-26747 7.8 - High - May 26, 2022

This issue was addressed with improved checks. This issue is fixed in Xcode 13.4. An app may be able to gain elevated privileges.

Git for Windows is a fork of Git containing Windows-specific patches
CVE-2022-24765 7.8 - High - April 12, 2022

Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\.git\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\Users` if the user profile is located in `C:\Users\my-user-name`.

DLL preloading

An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22602 7.8 - High - March 18, 2022

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.

Out-of-bounds Read

An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22601 7.8 - High - March 18, 2022

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.

Out-of-bounds Read

An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22603 7.8 - High - March 18, 2022

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.

Out-of-bounds Read

An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22604 7.8 - High - March 18, 2022

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.

Out-of-bounds Read

An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22605 7.8 - High - March 18, 2022

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.

Out-of-bounds Read

An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22606 7.8 - High - March 18, 2022

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.

Out-of-bounds Read

An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22607 7.8 - High - March 18, 2022

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.

Out-of-bounds Read

An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22608 7.8 - High - March 18, 2022

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.

Out-of-bounds Read

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2
CVE-2021-44228 10 - Critical - December 10, 2021

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Marshaling, Unmarshaling

A path handling issue was addressed with improved validation
CVE-2021-1800 5.5 - Medium - April 02, 2021

A path handling issue was addressed with improved validation. This issue is fixed in Xcode 12.4. A malicious application may be able to access arbitrary files on the host device while running an app that uses on-demand resources with Xcode.

This issue was addressed by encrypting communications over the network to devices running iOS 14, iPadOS 14, tvOS 14, and watchOS 7
CVE-2020-9992 7.8 - High - October 16, 2020

This issue was addressed by encrypting communications over the network to devices running iOS 14, iPadOS 14, tvOS 14, and watchOS 7. This issue is fixed in iOS 14.0 and iPadOS 14.0, Xcode 12.0. An attacker in a privileged network position may be able to execute arbitrary code on a paired device during a debug session over the network.

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case
CVE-2014-9390 9.8 - Critical - February 12, 2020

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

Improper Input Validation

NGINX before 1.17.7, with certain error_page configurations
CVE-2019-20372 5.3 - Medium - January 09, 2020

NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.

HTTP Request Smuggling

A memory corruption issue was addressed with improved state management
CVE-2019-8738 7.8 - High - December 18, 2019

A memory corruption issue was addressed with improved state management. This issue is fixed in Xcode 11.0. Processing a maliciously crafted file may lead to arbitrary code execution.

Buffer Overflow

A memory corruption issue was addressed with improved state management
CVE-2019-8739 7.8 - High - December 18, 2019

A memory corruption issue was addressed with improved state management. This issue is fixed in Xcode 11.0. Processing a maliciously crafted file may lead to arbitrary code execution.

Buffer Overflow

A memory corruption issue was addressed with improved validation
CVE-2019-8800 7.8 - High - December 18, 2019

A memory corruption issue was addressed with improved validation. This issue is fixed in Xcode 11.2. Processing a maliciously crafted file may lead to arbitrary code execution.

Buffer Overflow

Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4
CVE-2019-8724 8.8 - High - December 18, 2019

Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4. This issue is fixed in Xcode 11.0. Compiling code without proper input validation could lead to arbitrary code execution with user privilege.

Improper Input Validation

Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4
CVE-2019-8723 8.8 - High - December 18, 2019

Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4. This issue is fixed in Xcode 11.0. Compiling code without proper input validation could lead to arbitrary code execution with user privilege.

Improper Input Validation

Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4
CVE-2019-8722 8.8 - High - December 18, 2019

Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4. This issue is fixed in Xcode 11.0. Compiling code without proper input validation could lead to arbitrary code execution with user privilege.

Improper Input Validation

Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4
CVE-2019-8721 8.8 - High - December 18, 2019

Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4. This issue is fixed in Xcode 11.0. Compiling code without proper input validation could lead to arbitrary code execution with user privilege.

Improper Input Validation

A memory corruption issue was addressed with improved validation
CVE-2019-8806 7.8 - High - December 18, 2019

A memory corruption issue was addressed with improved validation. This issue is fixed in Xcode 11.2. Processing a maliciously crafted file may lead to arbitrary code execution.

Buffer Overflow

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (
CVE-2019-14379 9.8 - Critical - July 29, 2019

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

Prototype Pollution