CVE-2026-24064
Deferred Deferred - Pending Action
Privilege Escalation in Waves Central for macOS

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: SEC Consult Vulnerability Lab

Description
Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLD_INSERT_LIBRARIES environment variable to inject an attacker-controlled dynamic library into the trusted client process at launch. The injected code runs within the signed process and can connect to the product's privileged helper service to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-24064
EUVD
EUVD-2026-35447
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
waves audiomonitor 16.6.2
waves waves_central From 13.0.9 (inc) to 16.5.5 (inc)
waves_audio waves_central From 13.0.9 (inc) to 16.5.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the CVE-2026-24064 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-24064 is a local privilege escalation vulnerability in Waves Audio's Waves Central software for macOS, affecting versions 13.0.9 through 16.5.5.

The vulnerability exists because a trusted XPC client component, called InstlHelperApplication, is signed with entitlements that allow dynamic library injection via the DYLD_INSERT_LIBRARIES environment variable.

A local attacker can exploit this by injecting a malicious dynamic library into the trusted client process at launch. This injected code runs within the signed process and can connect to the privileged helper service to invoke privileged operations.

As a result, the attacker can execute arbitrary code with root privileges, effectively gaining full control over the system.

The issue was fixed in Waves Central version 16.6.2.

Impact Analysis

This vulnerability allows a local attacker to escalate their privileges to root on a macOS system running vulnerable versions of Waves Central.

With root privileges, the attacker can execute arbitrary code, potentially leading to full system compromise.

  • Unauthorized access to sensitive data.
  • Installation of persistent malware or backdoors.
  • Disruption or manipulation of system and application operations.
  • Bypassing security controls and gaining control over other users' data and processes.
Detection Guidance

This vulnerability involves the ability of a local attacker to inject a malicious dynamic library into the Waves Central trusted client process by setting the DYLD_INSERT_LIBRARIES environment variable. Detection would involve checking for suspicious use of this environment variable or unexpected dynamic library injections into the InstlHelperApplication process.

You can look for processes related to Waves Central and check their environment variables for DYLD_INSERT_LIBRARIES usage. For example, on macOS, you might use commands like:

  • ps aux | grep InstlHelperApplication
  • sudo launchctl getenv DYLD_INSERT_LIBRARIES
  • Check loaded dynamic libraries of the process using: otool -L /path/to/InstlHelperApplication

Monitoring for unexpected or unsigned dynamic libraries loaded into the trusted process can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to update Waves Central to version 16.6.2 or later, where this vulnerability has been fixed.

Until the patch is applied, restrict local user access to the affected software to prevent exploitation.

Additionally, conduct a thorough security review of your systems to identify any suspicious activity related to dynamic library injection or privilege escalation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24064. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart