HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-24064Published Modified CNA SEC-VLab

CVE-2026-24064: Local Privilege Escalation via Dynamic Library Injection in Waves Central for macOS

Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLD_INSERT_LIBRARIES environment variable to inject an attacker-controlled dynamic library into the trusted client process at launch. The injected code runs within the signed process and can connect to the product's privileged helper service to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A local privilege escalation vulnerability exists in Waves Central for macOS versions 13.0.9 through 16.5.5, caused by a trusted XPC client component signed with hardened runtime entitlements that permit dynamic library injection. An attacker who already has a low-privilege shell on the host can set the DYLD_INSERT_LIBRARIES environment variable to load an attacker-controlled library into the signed process at launch, bypassing the trust check the privileged helper service uses to authenticate callers. Successful exploitation results in arbitrary code execution as root. A patched-image rebuild at version 16.6.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-24064 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Waves Central. Any image carrying a Waves Central binary in the affected version range (13.0.9 through 16.5.5) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH and surfaces it alongside per-environment compliance policy weighting, so teams with stricter privilege-escalation controls see it prioritized accordingly. Triage results are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at Waves Central 16.6.2 becomes available through HarborGuard once a base image or application layer carrying the fix is present in the upstream source. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target system is required.

  • AuthenticationRequired

    A low-privilege local account is sufficient; the attacker does not need administrator or root credentials before exploitation.

  • Victim interactionNot required

    No action from another user is needed; the attacker can trigger the injection by launching the XPC client process themselves.

  • Attack complexityDetail

    The exploit is reliable and condition-free: setting DYLD_INSERT_LIBRARIES before process launch is a straightforward, repeatable technique with no race conditions or memory-layout dependencies.

Blast Radius

  • Injected code runs as the trusted XPC client and gains the ability to invoke privileged operations through the helper service, resulting in arbitrary code execution as root.
  • An attacker with root execution reads any file on the system, including credential stores, private keys, and application secrets.
  • An attacker with root execution writes or replaces any file on the system, including system binaries, launch daemons, and application data.
  • An attacker with root execution can crash, disable, or persistently backdoor any process or service on the host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-24064 is matched against all images in connected registries and CI pipelines within minutes of advisory ingestion. Because no fix was published at the time of initial CVE publication but version 16.6.2 has since been identified as the fix release, a patched-image rebuild at 16.6.2 is available for environments where the source layer has been updated to carry that version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test pass, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where upgrading immediately is not possible, compensating controls include restricting the DYLD_INSERT_LIBRARIES environment variable via macOS endpoint policy, applying process-level sandboxing to the Waves Central XPC client, and limiting local user account access on hosts where Waves Central is installed. HarborGuard continues to re-check the advisory on each ingest cycle and will surface any additional guidance as the upstream vendor publishes it.

See how HarborGuard automates this
Affected packages
  • Waves Audio Ltd. / Waves Central
    ≤ 16.5.5
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References