216.73.217.80

CVE-2026-24065

· Published 09/06/2026 16:16 · Modified 09/06/2026 19:36

Labels: CVE-2026-24065 2026-06-09551230f0-3615-47bd-b7cc-93e92e730bbfCVE-2026-24065CWE-367

Essential information

Published
09/06/2026 16:16
Modified
09/06/2026 19:36
Author
Creator
CVSS
8.1 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability in the privileged helper service. The helper validates connecting XPC clients using the client process identifier (PID) to verify code-signing identity. Because process identifiers can be reused, a local attacker can exploit a race condition between the time a connection request is made and the time the helper performs validation, causing the helper to trust an attacker-controlled process. This allows the attacker to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
551230f0-3615-47bd-b7cc-93e92e730bbf
NVD
View on NVD

Affected products (CPE)

ProductCPE
waves / waves central cpe:2.3:a:waves:waves_central:13.0.9-16.5.5:*:*:*:*:*:*:*
waves / waves central cpe:2.3:a:waves:waves_central:16.6.2:*:*:*:*:*:*:*

References