216.73.217.172

CVE-2026-24064

· Published 09/06/2026 16:16 · Modified 10/06/2026 15:16

Labels: CVE-2026-24064 2026-06-09551230f0-3615-47bd-b7cc-93e92e730bbfCVE-2026-24064CWE-426

Essential information

Published
09/06/2026 16:16
Modified
10/06/2026 15:16
Author
Creator
CVSS
7.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLD_INSERT_LIBRARIES environment variable to inject an attacker-controlled dynamic library into the trusted client process at launch. The injected code runs within the signed process and can connect to the product's privileged helper service to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
551230f0-3615-47bd-b7cc-93e92e730bbf
NVD
View on NVD

Affected products (CPE)

ProductCPE
waves / waves central cpe:2.3:a:waves:waves_central:13.0.9-16.5.5:*:*:*:*:*:*:*
waves / waves central cpe:2.3:a:waves:waves_central:16.6.2:*:*:*:*:*:*:*

References