CVE-2026-24065
Deferred Deferred - Pending Action
Privilege Escalation in Waves Central for macOS

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: SEC Consult Vulnerability Lab

Description
Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability in the privileged helper service. The helper validates connecting XPC clients using the client process identifier (PID) to verify code-signing identity. Because process identifiers can be reused, a local attacker can exploit a race condition between the time a connection request is made and the time the helper performs validation, causing the helper to trust an attacker-controlled process. This allows the attacker to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-24065
EUVD
EUVD-2026-35448
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
waves_audio waves_central From 13.0.9 (inc) to 16.5.5 (inc)
waves_audio waves_central 16.6.2
waves audiomonitor From 13.0.9 (inc) to 16.5.5 (inc)
waves waves_central From 13.0.9 (inc) to 16.5.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, update Waves Central for macOS to version 16.6.2 or later, where the issue is fixed.

Executive Summary

Waves Central for macOS versions 13.0.9 through 16.5.5 has a local privilege escalation vulnerability in its privileged helper service. The helper service tries to verify connecting clients by checking their process identifier (PID) to confirm their code-signing identity. However, because PIDs can be reused by the system, an attacker can exploit a race condition between the connection request and the validation step. This causes the helper to mistakenly trust a malicious process controlled by the attacker, allowing them to perform privileged operations and execute arbitrary code with root privileges.

Impact Analysis

This vulnerability allows a local attacker to escalate their privileges to root on the affected macOS system. By exploiting the race condition, the attacker can execute arbitrary code with the highest system privileges, potentially compromising the entire system, accessing sensitive data, installing malware, or disrupting system operations.

Compliance Impact

The provided information does not specify how this local privilege escalation vulnerability in Waves Central for macOS affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

There are no specific detection commands or network indicators provided for this vulnerability. It is a local privilege escalation issue affecting Waves Central for macOS versions 13.0.9 through 16.5.5, involving a race condition in the privileged helper service.

Since the vulnerability exploits a race condition in the XPC service "com.waves.central.InstlHelper" by abusing PID reuse, detection would require monitoring or analyzing local process behavior and XPC client connections, which is complex and not detailed in the available information.

The recommended action is to update Waves Central to version 16.6.2 or later, as no workarounds or detection commands are provided.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24065. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart