Skip to main content

Waves Central CVE-2026-24065

| EUVDEUVD-2026-35448 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-09 SEC-VLab GHSA-hmpm-h2c9-p557
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 09, 2026 - 18:49 vuln.today
CVSS changed
Jun 09, 2026 - 17:22 NVD
8.1 (HIGH)
CVE Published
Jun 09, 2026 - 14:50 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 09, 2026 - 14:50 nvd
HIGH 8.1

DescriptionCVE.org

Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability in the privileged helper service. The helper validates connecting XPC clients using the client process identifier (PID) to verify code-signing identity. Because process identifiers can be reused, a local attacker can exploit a race condition between the time a connection request is made and the time the helper performs validation, causing the helper to trust an attacker-controlled process. This allows the attacker to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.

AnalysisAI

Local privilege escalation in Waves Central for macOS (13.0.9 through 16.5.5) allows an unprivileged local user to gain root code execution by exploiting a time-of-check/time-of-use race in the privileged helper's XPC client validation. The helper trusts the connecting process's PID to verify code-signing identity, but PID reuse permits an attacker-controlled process to masquerade as a legitimate Waves client. SSVC reports a public proof-of-concept exists; the issue is not listed in CISA KEV.

Technical ContextAI

Waves Central is a macOS installer/license manager from Waves Audio that ships with a SMJobBless-style privileged helper communicating over Apple's XPC IPC framework. Apple's recommended pattern is to validate a connecting client via audit tokens (kSecGuestAttributeAudit) rather than PIDs, because audit tokens are kernel-supplied and immune to reuse. The vulnerable helper instead resolves the caller's PID and then checks the code-signing identity of that PID - a classic CWE-367 (TOCTOU race). Between the connect() and the SecCode validation, the original signed binary can exit and the kernel can recycle the PID to an attacker-spawned process, defeating the identity check and allowing privileged XPC methods to be invoked. The affected CPE is cpe:2.3:a:waves_audio_ltd.:waves_central:*:*:*:*:*:*:*:* across the entire 13.0.9-16.5.5 range.

RemediationAI

Vendor-released patch: Waves Central 16.6.2 - upgrade all macOS installations of Waves Central to 16.6.2 or later as the primary remediation, per the SEC Consult Vulnerability Lab advisory at https://r.sec-consult.com/waves. Where immediate upgrade is not possible, compensating controls include uninstalling Waves Central from shared or multi-user macOS endpoints until patched (trade-off: users cannot install/activate Waves plugins), unloading the privileged helper LaunchDaemon (typically under /Library/PrivilegedHelperTools/ with a com.waves.* label) via launchctl unload and removing its plist so the vulnerable XPC endpoint is not reachable (trade-off: license activation and plugin installation will fail until reloaded), and restricting local interactive logon on engineering/studio macs to the single trusted operator (trade-off: blocks legitimate multi-user workflows). Generic "defense in depth" is not a substitute - the only durable fix is upgrading to 16.6.2.

Share

CVE-2026-24065 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy