CVE Catalog

CVE-2026-24064

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.02%

6th percentile - higher than 6% of all known CVEs

Summary

Waves Central for macOS versions 13.0.9 through 16.5.5 contains a local privilege escalation vulnerability. A trusted XPC client component allows for dynamic library injection, enabling a local attacker to execute arbitrary code as root.

Risk Assessment

This vulnerability poses a significant security risk as it allows an attacker to gain full system privileges, potentially leading to unauthorized access to data and resources.

Recommendation

It is recommended to update to version 16.6.2 or later to mitigate this vulnerability and secure the system against potential attacks.

Original NVD description (English source)

Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLD_INSERT_LIBRARIES environment variable to inject an attacker-controlled dynamic library into the trusted client process at launch. The injected code runs within the signed process and can connect to the product's privileged helper service to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS