Executive Summary

CVE-2026-40604 is a vulnerability in the opfilter Endpoint Security system extension used by ClearanceKit on macOS. This extension enforces file-access policies by intercepting file-system access events. Prior to version 5.0.6, any process running with root privileges can suspend the opfilter extension using signals like SIGSTOP or kill -STOP, or terminate it using SIGKILL or SIGTERM.

When the extension is suspended, all Endpoint Security AUTH events time out and default to allowing file-access operations. This effectively disables ClearanceKit's file-access policy enforcement silently for the duration of the suspension, allowing unauthorized file operations to occur.

Useful 0 Not Useful 0

Impact Analysis

An attacker with existing root privileges on a managed macOS host can exploit this vulnerability to temporarily bypass file-access authorization checks enforced by ClearanceKit.

• Unauthorized file exfiltration
• Staging or execution of binaries normally blocked by ClearanceKit policies
• Combining this bypass with other local privilege escalation techniques that require a brief window without policy enforcement

While the vulnerability does not bypass System Integrity Protection (SIP) or System Extension approval requirements by itself, it creates a high-severity risk by disabling critical file-access enforcement temporarily.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the opfilter Endpoint Security system extension being suspended or killed by root processes, which disables ClearanceKit's file-access policy enforcement. Detection would involve monitoring the status of the opfilter process and checking for signals such as SIGSTOP, SIGKILL, or SIGTERM being sent to it.

You can detect if the opfilter extension is suspended or terminated by checking the process status and signal events on macOS. For example, use commands like:

• ps aux | grep uk.craigbass.clearancekit.opfilter # To check if the opfilter process is running
• sudo dtrace -n 'syscall::kill:entry /pid == target_pid/ { printf("Signal %d sent to opfilter\n", arg1); }' # To monitor signals sent to the opfilter process (replace target_pid with actual PID)
• log stream --predicate 'process == "opfilter"' # To check system logs for any abnormal termination or suspension events

Since the vulnerability allows root processes to suspend or kill the opfilter extension, monitoring for unexpected suspension or termination signals to this process can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade ClearanceKit to version 5.0.6 or later, where the vulnerability is fixed by introducing a kernel-level interception mechanism that prevents signals from suspending or killing the opfilter extension.

There are no available workarounds because the fix requires kernel-level event interception to block the signals that suspend or kill the opfilter process.

Until the upgrade is applied, ensure that only trusted root users have access to the system, as the vulnerability requires root privileges to exploit.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-40604 allows an attacker with root privileges to suspend or kill the ClearanceKit opfilter system extension, which disables file-access policy enforcement temporarily and silently. This can enable unauthorized file exfiltration, staging, or execution of binaries that are normally blocked by ClearanceKit policies.

Such unauthorized file access and potential data exfiltration could lead to violations of compliance requirements under standards like GDPR and HIPAA, which mandate strict controls over access to sensitive data and require protection against unauthorized disclosure or modification.

Therefore, this vulnerability poses a risk to maintaining compliance with these regulations by undermining the enforcement of file-access policies designed to protect sensitive information.

Useful 0 Not Useful 0