Description
The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed in the functions "writeReceiptFile" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Demand Fix
AI Analysis

Impact

The vulnerability lies in the VSL privileged helper's use of NSXPC for interprocess communication. The helper's function that should validate new connections does not perform any verification, which allows any local process to establish a connection to its XPC service. Once connected, an attacker gains access to the HelperToolProtocol, including the unprotected functions 'writeReceiptFile' and 'runUninstaller'. These functions permit arbitrary file writes with any data and arbitrary command execution, respectively, enabling a local attacker to modify critical system files or execute programs with elevated privileges. The absence of validation results in a clear privilege escalation path without requiring exploitation of additional weaknesses.

Affected Systems

This flaw affects Vienna Symphonic Library GmbH's Vienna Assistant software. No specific version information is provided in the CNA data, so any installation of Vienna Assistant that includes the VSL privileged helper is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog, supporting the low exploit likelihood assessment. The likely attack vector is local: any process running on the same machine can connect to the vulnerable XPC endpoint. Given the lack of client validation and the powerful operations exposed by the helper, a local attacker can achieve full privilege escalation with minimal prerequisites.

Generated by OpenCVE AI on March 26, 2026 at 15:34 UTC.

Remediation

Vendor Solution

The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.

OpenCVE Recommended Actions

  • Reach out to Vienna Symphonic Library and demand an urgent patch or mitigation guidance
  • If the application is non‑critical, uninstall Vienna Assistant or disable its helper service
  • Restrict local execution rights to prevent untrusted processes from creating XPC connections to Vienna Assistant
  • Monitor system logs for unexpected XPC activity or unauthorized file write attempts

Generated by OpenCVE AI on March 26, 2026 at 15:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://r.sec-consult.com/vsl cve-icon cve-icon
History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Vienna Symphonic Library
Vienna Symphonic Library vienna Assistant
Vendors & Products Vienna Symphonic Library
Vienna Symphonic Library vienna Assistant

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed in the functions "writeReceiptFile" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.
Title Missing XPC Client & NSXPC endpoint validation leads to privilege escalation in Vienna Assistant (MacOS) - Vienna Symphonic Library
Weaknesses CWE-306
References

Subscriptions

Vienna Symphonic Library Vienna Assistant
cve-icon MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published:

Updated: 2026-03-26T13:51:53.385Z

Reserved: 2026-01-21T11:29:19.853Z

Link: CVE-2026-24068

cve-icon Vulnrichment

Updated: 2026-03-26T13:50:04.333Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T11:16:20.097

Modified: 2026-03-26T15:16:32.303

Link: CVE-2026-24068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:46Z

Weaknesses