Description
Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability in the privileged helper service. The helper validates connecting XPC clients using the client process identifier (PID) to verify code-signing identity. Because process identifiers can be reused, a local attacker can exploit a race condition between the time a connection request is made and the time the helper performs validation, causing the helper to trust an attacker-controlled process. This allows the attacker to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.
Published: 2026-06-09
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Waves Central for macOS versions 13.0.9 through 16.5.5 contains a local privilege escalation vulnerability in its privileged helper service. The service validates connecting XPC clients by checking the client’s process identifier (PID) against its code‑signing identity. Because PIDs can be reused, an attacker who is able to start a local process can exploit a race condition between the connection request and the helper’s validation step, causing the helper to incorrectly trust the attacker‑controlled process. Once validated, the attacker can invoke privileged operations, resulting in arbitrary code execution as root.

Affected Systems

The affected systems are macOS installations running Waves Central for Waves Audio Ltd. versions 13.0.9 to 16.5.5 inclusive.

Risk and Exploitability

The vulnerability can only be exploited locally and requires the attacker to run a process on the target machine. No exploitation probability score or KEV listing is available, but the CVSS score of 8.1 indicates a very high severity and the impact of achieving root execution is very severe. Attackers can achieve complete control over the affected system, compromising confidentiality, integrity, and availability. The risk remains high until the affected versions are upgraded or the helper service is disabled.

Generated by OpenCVE AI on June 9, 2026 at 17:28 UTC.

Remediation

Vendor Solution

The issue is fixed in version 16.6.2 or higher which can be downloaded at the vendor's download page at https://www.waves.com/downloads/central

OpenCVE Recommended Actions

  • Update Waves Central to version 16.6.2 or later, which fixes the insecure XPC client validation.
  • If the update cannot be applied immediately, disable the Waves Central privileged helper service so it cannot process XPC requests.
  • Restrict local users from being able to launch or modify the Waves Central XPC client, limiting the attack surface until a patch is applied.

Generated by OpenCVE AI on June 9, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Waves Audio
Waves Audio waves Central
Vendors & Products Waves Audio
Waves Audio waves Central

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability in the privileged helper service. The helper validates connecting XPC clients using the client process identifier (PID) to verify code-signing identity. Because process identifiers can be reused, a local attacker can exploit a race condition between the time a connection request is made and the time the helper performs validation, causing the helper to trust an attacker-controlled process. This allows the attacker to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.
Title Local Privilege Escalation via Insecure XPC Client Validation in Waves Central for macOS
Weaknesses CWE-367
References

Subscriptions

Waves Audio Waves Central
cve-icon MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published:

Updated: 2026-06-09T15:58:35.788Z

Reserved: 2026-01-21T11:29:19.853Z

Link: CVE-2026-24065

cve-icon Vulnrichment

Updated: 2026-06-09T15:54:43.741Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T16:16:39.477

Modified: 2026-06-09T19:36:10.547

Link: CVE-2026-24065

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:20:31Z

Weaknesses