HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-24067Published Modified CNA SEC-VLab

CVE-2026-24067: Slate Digital Connect macOS XPC PID validation privilege escalation

Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by obtaining the client's process identifier and using it to retrieve code-signing information for the process. This PID-based client validation is subject to a time-of-check time-of-use race condition because process identifiers can be reused. A local attacker can exploit PID reuse so that validation is performed against a trusted process instead of the original connecting process. This allows unauthorized access to privileged helper functionality and may lead to local privilege escalation.

Metrics

CVSS v3.1
8.4
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a local privilege escalation vulnerability in Slate Digital Connect 1.37.0 for macOS, caused by a time-of-check time-of-use (TOCTOU) race condition in the privileged helper tool's XPC client validation. The helper authenticates connecting processes by PID, but because PIDs can be reused, a local attacker can win the race so that validation runs against a trusted process rather than the attacker's own. Successful exploitation gives the attacker full read, write, and execution access at the privilege level of the helper tool. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built macOS-targeted container images that bundle Slate Digital Connect 1.37.0. Any image carrying the affected binary is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 8.4 HIGH and is capable of weighting that score against each customer's per-environment compliance policy to determine urgency and escalation path. Routing to the appropriate team inbox within each customer organization is handled automatically based on those policy rules.

Available
Patch

No fix version has been published by Slate Digital at this time, so HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access is required.

  • AuthenticationNot required

    No account credentials or prior authentication are needed to attempt the exploit; any local process can connect to the XPC service.

  • Victim interactionNot required

    The race condition is triggered entirely by the attacker's own processes and requires no action from another user.

  • Attack complexityDetail

    The attack requires winning a PID-reuse race condition, which introduces timing sensitivity, but the overall exploit is considered reliable under low-complexity conditions per the CVSS AC:L rating.

Blast Radius

  • Reads any files or data accessible to the privileged helper tool, including credentials, license keys, and application state stored on the host.
  • Writes or modifies files owned by the privileged helper, enabling persistence mechanisms or tampering with application configuration.
  • Executes arbitrary code at the privilege level of the helper tool, which on macOS typically runs as root or a high-privilege system account.
  • Crashes or destabilizes the helper tool process, disrupting the Slate Digital Connect service for the affected user session.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-24067, HarborGuard monitors the Slate Digital advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention. In the interim, compensating controls are worth considering: network-policy isolation is not directly applicable given the local attack vector, but restricting which container workloads bundle the Slate Digital Connect binary, disabling the privileged helper tool where it is not required for production function, and applying macOS endpoint controls that limit XPC service exposure can all reduce the window of opportunity for exploitation. HarborGuard will surface the affected images in the findings dashboard so teams can prioritize manual review against those workload-specific controls.

See how HarborGuard automates this
Affected packages
  • Slate Digital LLC / Slate Digital Connect
    1.37.0
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References