Skip to main content

Slate Digital Connect CVE-2026-24067

| EUVDEUVD-2026-36000 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-10 551230f0-3615-47bd-b7cc-93e92e730bbf GHSA-gm33-xcxj-p624
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 10, 2026 - 15:25 vuln.today
CVSS changed
Jun 10, 2026 - 15:22 NVD
8.4 (HIGH)
CVE Published
Jun 10, 2026 - 12:16 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 10, 2026 - 12:16 nvd
HIGH 8.4

DescriptionNVD

Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by obtaining the client's process identifier and using it to retrieve code-signing information for the process. This PID-based client validation is subject to a time-of-check time-of-use race condition because process identifiers can be reused. A local attacker can exploit PID reuse so that validation is performed against a trusted process instead of the original connecting process. This allows unauthorized access to privileged helper functionality and may lead to local privilege escalation.

AnalysisAI

Local privilege escalation in Slate Digital Connect 1.37.0 for macOS allows unprivileged users on the host to gain root-level capabilities by abusing a TOCTOU race in the privileged helper's XPC client validation. The com.slatedigital.connect.privileged.helper.tool2 service identifies callers by PID and then queries code-signing information, but PID reuse lets an attacker substitute a trusted process between check and use. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the technical pattern is well-known on macOS and a SEC Consult advisory describes the flaw in detail.

Technical ContextAI

The vulnerability sits in a macOS privileged helper installed via SMJobBless-style mechanisms and reachable over XPC (Apple's Mach-port-based IPC framework). The helper authenticates incoming XPC connections by retrieving the connecting peer's PID and then performing code-signing checks (typically via SecCodeCopyGuestWithAttributes or similar APIs keyed on PID). Because PIDs are recycled by the kernel once a process exits, the time window between obtaining the PID and validating its signature creates a classic CWE-367 (Time-of-check Time-of-use) race. Apple's own guidance for years has been to validate XPC peers via audit tokens (xpc_connection_get_audit_token) rather than PIDs, precisely because audit tokens are kernel-supplied and not subject to reuse, which makes this a recurring class of macOS helper-tool flaw rather than a novel discovery.

RemediationAI

No vendor-released patch identified at time of analysis in the provided references, so the primary action is to monitor Slate Digital for an updated Connect release that replaces PID-based XPC client validation with audit-token-based validation (via xpc_connection_get_audit_token and SecCodeCopyGuestWithAttributes keyed on the audit token attribute). Until a fix ships, compensating controls include uninstalling Slate Digital Connect on multi-user macOS systems or shared workstations where untrusted local users can run code, and removing the privileged helper from /Library/PrivilegedHelperTools along with its launchd plist in /Library/LaunchDaemons to eliminate the attack surface - the trade-off is that licensing, activation, and any helper-mediated install/update features in Connect will stop working until reinstalled. On single-user creative workstations the practical risk is lower since the attacker already needs local code execution, so monitoring endpoint telemetry for unexpected XPC activity against the helper service is a reasonable interim control. Track the SEC Consult advisory (https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalation-in-slate-digital-connect/ and https://r.sec-consult.com/slate) and NVD entry for fix availability.

Share

CVE-2026-24067 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy