CVE-2026-24064 - Vulnerability Details

Description

Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLD_INSERT_LIBRARIES environment variable to inject an attacker-controlled dynamic library into the trusted client process at launch. The injected code runs within the signed process and can connect to the product's privileged helper service to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.

Published: 2026-06-09

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows a local attacker to inject a malicious dynamic library into a trusted Waves Central XPC client process on macOS using the DYLD_INSERT_LIBRARIES environment variable. Because the client runs with hardened runtime entitlements, the injected code executes with the same privileges and can communicate with a privileged helper service, leading to arbitrary root‑level code execution. This represents a direct compromise of system confidentiality, integrity, and availability.

Affected Systems

Waves Audio Ltd. Waves Central for macOS version 13.0.9 through 16.5.5 is affected. The fix is provided in version 16.6.2 or later.

Risk and Exploitability

The exploit requires local access to set an environment variable, but once achieved it grants full root access, an extremely high impact attack. No EPSS score is available, and the vulnerability is not listed in CISA KEV, but the absence of a score does not mitigate the severity of the flaw. The CVSS score is not supplied but the nature of the flaw indicates high severity. The attack vector is local; the attacker must have the ability to launch the client process with a manipulated environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Waves Audio Ltd.

Waves Central

unaffected

Version	Status	Constraints
`13.0.9`	affected	≤ 16.5.5

No data.

Vendor Product Confidence Versions

Waves Audio

Waves Central

100%

Version	Status	Scheme	Platform
`[13.0.9,16.5.5]`	affected	semver	['macos']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

The issue is fixed in version 16.6.2 or higher which can be downloaded at the vendor's download page at https://www.waves.com/downloads/central

OpenCVE Recommended Actions

Apply the Waves Central patch or upgrade to version 16.6.2 or later, available on the Waves download page.
Disable or unset the DYLD_INSERT_LIBRARIES environment variable before launching Waves Central to prevent dynamic library injection.
Limit privileged XPC client access to trusted users only and ensure that only signed binaries are used as helper services.

Generated by OpenCVE AI on June 9, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://r.sec-consult.com/waves

History

Tue, 09 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Waves Audio Waves Audio waves Central
Vendors & Products		Waves Audio Waves Audio waves Central

Tue, 09 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLD_INSERT_LIBRARIES environment variable to inject an attacker-controlled dynamic library into the trusted client process at launch. The injected code runs within the signed process and can connect to the product's privileged helper service to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.
Title		Local Privilege Escalation via Dynamic Library Injection in Waves Central for macOS
Weaknesses		CWE-426
References		https://r.sec-consult.com/waves

Subscriptions

Waves Audio Waves Central

MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published: 2026-06-09T14:47:16.296Z

Updated: 2026-06-09T14:47:16.296Z

Reserved: 2026-01-21T11:29:19.853Z

Link: CVE-2026-24064

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-06-09T16:16:39.350

Modified: 2026-06-09T19:36:10.547

Link: CVE-2026-24064

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T20:20:32Z

Weaknesses

CWE-426

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object