Skip to main content

ClearanceKit EUVDEUVD-2026-24213

| CVE-2026-40604 HIGH
Protection Mechanism Failure (CWE-693)
2026-04-21 security-advisories@github.com
8.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
Apr 24, 2026 - 20:49 nvd
Patch available
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 18:49 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 18:22 euvd
EUVD-2026-24213
Analysis Generated
Apr 21, 2026 - 18:22 vuln.today
CVE Published
Apr 21, 2026 - 18:16 nvd
HIGH 8.2

DescriptionGitHub Advisory

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.6, the opfilter Endpoint Security system extension (bundle ID uk.craigbass.clearancekit.opfilter) can be suspended with SIGSTOP or kill -STOP, or killed with SIGKILL/SIGTERM, by any process running as root. While the extension is suspended, all AUTH Endpoint Security events time out and default to allow, silently disabling ClearanceKit's file-access policy enforcement for the duration of the suspension. This vulnerability is fixed in 5.0.6.

AnalysisAI

Local privilege escalation in ClearanceKit opfilter system extension allows root-level processes on macOS to completely bypass file-access policy enforcement by suspending or killing the Endpoint Security extension. An attacker with root access can send SIGSTOP to the uk.craigbass.clearancekit.opfilter extension, causing all AUTH events to time out and silently default to allow, effectively disabling all ClearanceKit file-access controls. This represents a critical security control bypass for environments relying on ClearanceKit for file-system access restrictions. Fixed in version 5.0.6. No public exploit identified at time of analysis, though exploitation is straightforward for any attacker who has already achieved root access on the macOS system.

Technical ContextAI

ClearanceKit implements a macOS Endpoint Security system extension (bundle ID uk.craigbass.clearancekit.opfilter) that intercepts file-system access events and enforces per-process access policies. The vulnerability stems from insufficient protection against signal-based process control (CWE-693: Protection Mechanism Failure). macOS Endpoint Security extensions handle authorization events synchronously - when the extension is suspended via SIGSTOP or terminated with SIGKILL/SIGTERM, pending AUTH events time out. The macOS Endpoint Security framework defaults to 'allow' on timeout to prevent system deadlock, creating a fail-open condition. This design means that any process running with root privileges can effectively disable the security extension by suspending its execution, causing all file-access policy checks to silently pass. The CVSS 4.0 vector indicates local attack (AV:L), low complexity (AC:L), high privileges required (PR:H), but critically high impact on subsequent system confidentiality and integrity (SC:H/SI:H), reflecting the scope change from compromising the extension to bypassing system-wide access controls.

RemediationAI

Upgrade ClearanceKit to version 5.0.6 or later, which implements proper protection against signal-based attacks on the opfilter system extension. The update can be obtained from the vendor's GitHub repository referenced in the security advisory at https://github.com/craigjbass/clearancekit/security/advisories/GHSA-5r9w-9fg6-266q. For environments unable to immediately upgrade, implement compensating controls by restricting which processes can run with root privileges through mandatory access controls external to ClearanceKit (such as TCC restrictions or third-party privilege management solutions), though this has limited effectiveness since the vulnerability itself requires root access. Monitor system logs for unexpected termination or suspension of the opfilter extension process (look for SIGSTOP/SIGKILL/SIGTERM events against processes with bundle ID uk.craigbass.clearancekit.opfilter), which may indicate exploitation attempts, though legitimate administrative actions could also trigger these signals. Note that there is no effective workaround that preserves both ClearanceKit functionality and prevents this bypass - the only complete remediation is upgrading to the patched version.

Share

EUVD-2026-24213 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy