CVE-2026-24065

HIGH 8.1

Local Privilege Escalation via Insecure XPC Client Validation in Waves Central for macOS

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability in the privileged helper service. The helper validates connecting XPC clients using the client process identifier (PID) to verify code-signing identity. Because process identifiers can be reused, a local attacker can exploit a race condition between the time a connection request is made and the time the helper performs validation, causing the helper to trust an attacker-controlled process. This allows the attacker to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.

CWE	CWE-367
Vendor	waves audio ltd.
Product	waves central
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for waves audio ltd. waves central

Be the first to know when new high vulnerabilities affecting waves audio ltd. waves central are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Waves Audio Ltd. / Waves Central

13.0.9 ≤ 16.5.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

r.sec-consult.com: https://r.sec-consult.com/waves sec-consult.com: https://sec-consult.com/vulnerability-lab/advisory/multiple-local-privilege-escalation-vulnerabilities-in-waves-audio-waves-central/

Credits

Florian Haselsteiner, SEC Consult Vulnerability Lab