Skip to main content

Waves Central CVE-2026-24064

| EUVDEUVD-2026-35447 HIGH
Untrusted Search Path (CWE-426)
2026-06-09 SEC-VLab GHSA-6fpq-hqx5-5mq2
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 10, 2026 - 15:23 vuln.today
CVSS changed
Jun 10, 2026 - 15:22 NVD
7.8 (HIGH)
CVE Published
Jun 09, 2026 - 14:47 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 09, 2026 - 14:47 nvd
HIGH 7.8

DescriptionCVE.org

Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLD_INSERT_LIBRARIES environment variable to inject an attacker-controlled dynamic library into the trusted client process at launch. The injected code runs within the signed process and can connect to the product's privileged helper service to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.

AnalysisAI

Local privilege escalation in Waves Central for macOS versions 13.0.9 through 16.5.5 allows an unprivileged user to gain root code execution by injecting a malicious dylib into a trusted XPC client process via DYLD_INSERT_LIBRARIES. The injected code then abuses the product's privileged helper service to perform operations as root. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%), consistent with a local-only macOS desktop attack surface.

Technical ContextAI

Waves Central is an audio software management application for macOS that uses Apple's XPC inter-process communication framework alongside a privileged helper service to perform installation and configuration tasks. The vulnerability is rooted in CWE-426 (Untrusted Search Path): a bundled XPC client binary is code-signed with hardened runtime entitlements that explicitly allow dynamic library injection (com.apple.security.cs.allow-dyld-environment-variables and/or com.apple.security.cs.disable-library-validation). Because the helper trusts the client based on code signature, an attacker-controlled library loaded into that signed process inherits the helper's trust and can invoke privileged XPC operations. The CPE confirms the impact is limited to Waves Audio Ltd.'s Waves Central product family.

RemediationAI

Upgrade Waves Central to vendor-released patch version 16.6.2 or later on all macOS endpoints, as confirmed in the SEC-VLab/SEC Consult advisory at https://r.sec-consult.com/waves. Until patching is possible, compensating controls include restricting local interactive logon on machines running Waves Central to trusted users only, removing the privileged helper LaunchDaemon (typically under /Library/PrivilegedHelperTools/) which will disable installer/updater functionality but block the privilege-escalation path, and uninstalling Waves Central from shared or multi-user macOS hosts where it is not actively required. Endpoint monitoring should additionally alert on DYLD_INSERT_LIBRARIES being set in the environment of Waves-signed processes, accepting the false-positive cost from legitimate developer tooling.

Share

CVE-2026-24064 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy