Skip to main content

X-VPN macOS EUVDEUVD-2026-35404

| CVE-2026-2638 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-09 Fluid Attacks GHSA-3r66-j4hr-jmxj
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 09, 2026 - 14:50 vuln.today
CVSS changed
Jun 09, 2026 - 13:22 NVD
7.3 (HIGH)
CVE Published
Jun 09, 2026 - 11:21 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 09, 2026 - 11:21 nvd
HIGH 7.3

DescriptionCVE.org

A vulnerability in the quarantine and restore workflow of the X-VPN macOS website versions 77.0 through 77.5 allow a local attacker to leverage a race condition and symlink manipulation to achieve privileged file corruption.

AnalysisAI

Local privilege escalation in X-VPN for macOS (website-distributed versions 77.0 through 77.5) allows a low-privileged local attacker to corrupt privileged files by abusing a race condition (TOCTOU) and symlink manipulation in the quarantine and restore workflow. Discovered and reported by Fluid Attacks, the issue is patched by the vendor; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Technical ContextAI

The vulnerability lives in X-VPN's macOS client distributed through the X-VPN website (CPE cpe:2.3:a:x-vpn:x-vpn_macos_website:*). The root cause is CWE-367 (Time-of-Check Time-of-Use), where the application's quarantine/restore code path validates a file or path and then later operates on it as a privileged process. Between the check and the use, an attacker swaps the target with a symlink pointing at a sensitive system-owned file, causing the privileged restore operation to write or modify that target. This pattern is common in macOS helper-tool architectures where an unprivileged GUI requests a privileged helper to act on user-supplied paths without atomic open-by-handle semantics or O_NOFOLLOW protection.

RemediationAI

Patch available per vendor advisory: upgrade X-VPN for macOS to the fixed build available from https://xvpn.io/download/vpn-mac (versions later than 77.5; consult https://xvpn.io/resources/statement-local-privilege-escalation-vulnerability for the exact fixed build number, which is not enumerated in the supplied data). As a compensating control until patching, restrict use of X-VPN to single-user macOS systems where no untrusted local accounts exist, since exploitation requires a local low-privileged attacker; on shared endpoints, uninstall the affected versions (77.0-77.5) and block reinstall via MDM application allowlisting until the patched build is deployed - the trade-off is loss of VPN functionality during the gap. Monitor for unexpected symlinks under the X-VPN quarantine/restore directories and audit privileged helper invocations as a detection layer.

Share

EUVD-2026-35404 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy