HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-24065Published Modified CNA SEC-VLab

CVE-2026-24065: Local Privilege Escalation via Insecure XPC Client Validation in Waves Central for macOS

Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability in the privileged helper service. The helper validates connecting XPC clients using the client process identifier (PID) to verify code-signing identity. Because process identifiers can be reused, a local attacker can exploit a race condition between the time a connection request is made and the time the helper performs validation, causing the helper to trust an attacker-controlled process. This allows the attacker to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a local privilege escalation vulnerability in the Waves Central privileged helper service on macOS, affecting versions 13.0.9 through 16.5.5. The helper authenticates connecting XPC clients by checking the client process identifier (PID), but PIDs can be recycled by the operating system, so a local attacker can win a race condition between connection and validation to make the helper trust an attacker-controlled process. Successful exploitation gives the attacker the ability to invoke privileged operations and execute arbitrary code as root. No fix version has been published upstream; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-24065 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Waves Central components. Any image containing an affected version of Waves Central (13.0.9 through 16.5.5) is flagged automatically in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) using the published v3.1 vector, and that score is surfaced alongside per-environment compliance policy weighting so teams can calibrate urgency against their own risk thresholds. Triage routing is available to direct the finding to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the meantime, customers can apply compensating controls through HarborGuard policy rules, such as flagging images that include Waves Central as non-compliant for deployment in privilege-sensitive environments.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The CVSS vector specifies AV:N, meaning the attacker must reach the service over the network, though in practice the vulnerability description indicates local access is the actual entry point; the network attack vector classification reflects the upstream scoring.

  • AuthenticationNot required

    PR:N indicates no credentials or account privileges are required before initiating the exploit.

  • Victim interactionNot required

    UI:N means no user action, click, or social engineering is needed; the attacker can proceed entirely without victim participation.

  • Attack complexityDetail

    AC:H indicates the attacker must win a race condition between the XPC connection request and the PID validation check, making reliable exploitation dependent on precise timing and process scheduling.

Blast Radius

  • Attacker executes arbitrary code with root privileges on the compromised macOS host.
  • Attacker reads any file on the filesystem, including credentials, private keys, and application data stored by other users or processes.
  • Attacker modifies or replaces system binaries, configuration files, and persisted application data.
  • Attacker crashes or manipulates any process on the host, including security tooling and monitoring agents.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-24065 as of the publication date, HarborGuard re-evaluates the advisory on every feed ingest cycle and will trigger a patched-image rebuild automatically once version 16.6.2 or a later fix is published upstream. For customers who have auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention at that point. In the interim, compensating controls are available through HarborGuard policy configuration: images containing affected Waves Central versions can be flagged as non-compliant for deployment in environments where privileged helper services run, network-policy isolation rules can restrict lateral reachability to those hosts, and egress filtering policies can limit the blast radius if a host is compromised. HarborGuard will surface an updated finding card the moment the upstream advisory changes status.

See how HarborGuard automates this
Affected packages
  • Waves Audio Ltd. / Waves Central
    ≤ 16.5.5
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References