CVE-2026-24064
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk6th percentile - higher than 6% of all known CVEs
Summary
Waves Central for macOS versions 13.0.9 through 16.5.5 contains a local privilege escalation vulnerability. A trusted XPC client component allows for dynamic library injection, enabling a local attacker to execute arbitrary code as root.
Risk Assessment
This vulnerability poses a significant security risk as it allows an attacker to gain full system privileges, potentially leading to unauthorized access to data and resources.
Recommendation
It is recommended to update to version 16.6.2 or later to mitigate this vulnerability and secure the system against potential attacks.
Original NVD description (English source)
Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLD_INSERT_LIBRARIES environment variable to inject an attacker-controlled dynamic library into the trusted client process at launch. The injected code runs within the signed process and can connect to the product's privileged helper service to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.

