Description
During the installation of the Native Access application, a privileged helper `com.native-instruments.NativeAccess.Helper2`, which is used by Native Access to trigger functions via XPC communication like copy-file, remove or set-permissions, is deployed as well. The communication with the XPC service of the privileged helper is only allowed if the client process is signed with the corresponding certificate and fulfills the following code signing requirement:
"anchor trusted and certificate leaf[subject.CN] = \"Developer ID Application: Native Instruments GmbH (83K5EG6Z9V)\""

The Native Access application was found to be signed with the `com.apple.security.cs.allow-dyld-environment-variables` and `com.apple.security.cs.disable-library-validation` entitlements leading to DYLIB injection and therefore command execution in the context of this application. A low privileged user can exploit the DYLIB injection to trigger functions of the privileged helper XPC service resulting in privilege escalation by first deleting the /etc/sudoers file and then copying a malicious version of that file to /etc/sudoers.
Published: 2026-02-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Request Patch
AI Analysis

Impact

During installation of Native Access on macOS, the installer deploys a privileged helper that communicates with the main application over XPC. The helper is protected by a strict code‑signing requirement that only allows a signed client with the specific certificate to reach it. Native Access itself is signed with permits‑dyld‑environment‑variables and disable‑library‑validation entitlements, which give an attacker the ability to inject a dynamic library into the process. A local user can then invoke functions of the privileged helper such as copy‑file or set‑permissions to delete the system /etc/sudoers file and replace it with a malicious copy, effectively granting root privileges. The vulnerability is a classic example of untrusted search path exploitation (CWE‑426) and leads to privilege escalation, compromising confidentiality, integrity and availability of the system.

Affected Systems

Native Instruments Native Access running on macOS is affected. All versions installed on Apple macOS environments share the same code‑signing and entitlement configuration, and no specific version numbers are listed in the current advisory. Users of Native Access on macOS devices should assume the vulnerability applies until a vendor‑provided fix is issued.

Risk and Exploitability

The CVSS base score of 8.8 indicates a high severity for local privilege escalation. However, the EPSS score of less than 1 percent suggests a very low current exploitation probability, and the vulnerability has not yet been recorded in the CISA Known Exploited Vulnerabilities catalog. The attack requires a local user account and the ability to run Native Access; the exploit path involves manipulating DYLD environment variables to inject a library that triggers privileged helper actions. Because the vulnerable component is a helper service with elevated privileges, a successful exploitation would allow attackers to modify system files such as /etc/sudoers, resulting in full root access.

Generated by OpenCVE AI on April 18, 2026 at 00:39 UTC.

Remediation

Vendor Solution

The vendor was unreachable and did not respond to multiple contact attempts. No patch is available. Customers should contact the vendor and request a patch. Update 2026-04-29: The vendor provides a patched version v3.24 fixes the identified security issues.

OpenCVE Recommended Actions

  • Contact Native Instruments immediately to request an update or patch that removes the insecure DYLD and library validation entitlements, and hold off on installing or updating Native Access until the patch is available.
  • If you cannot obtain a patch, uninstall Native Access and any associated privileged helper binaries, and disable or delete the launchd service that runs the helper to prevent accidental execution.
  • Set up monitoring on the system to detect unauthorized modifications to /etc/sudoers or the presence of unexpected DYLD environment variable settings, and restore the file from a known‑good backup if tampered.
  • Consider using macOS security features such as System Integrity Protection and the restrictive app sandbox to reduce the risk of DYLD injection if the application must remain installed.

Generated by OpenCVE AI on April 18, 2026 at 00:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Wed, 11 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Native-instruments
Native-instruments native Access
CPEs cpe:2.3:a:native-instruments:native_access:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Native-instruments
Native-instruments native Access

Wed, 04 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Native Instruments
Native Instruments native Access
Vendors & Products Native Instruments
Native Instruments native Access

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 13:45:00 +0000

Type Values Removed Values Added
Description During the installation of the Native Access application, a privileged helper `com.native-instruments.NativeAccess.Helper2`, which is used by Native Access to trigger functions via XPC communication like copy-file, remove or set-permissions, is deployed as well. The communication with the XPC service of the privileged helper is only allowed if the client process is signed with the corresponding certificate and fulfills the following code signing requirement: "anchor trusted and certificate leaf[subject.CN] = \"Developer ID Application: Native Instruments GmbH (83K5EG6Z9V)\"" The Native Access application was found to be signed with the `com.apple.security.cs.allow-dyld-environment-variables` and `com.apple.security.cs.disable-library-validation` entitlements leading to DYLIB injection and therefore command execution in the context of this application. A low privileged user can exploit the DYLIB injection to trigger functions of the privileged helper XPC service resulting in privilege escalation by first deleting the /etc/sudoers file and then copying a malicious version of that file to /etc/sudoers.
Title Local Privilege Escalation via DYLIB Injection in Native Instruments Native Access
Weaknesses CWE-426
References

Subscriptions

Apple Macos
Native-instruments Native Access
Native Instruments Native Access
cve-icon MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published:

Updated: 2026-04-29T08:33:56.816Z

Reserved: 2026-01-21T11:29:19.854Z

Link: CVE-2026-24070

cve-icon Vulnrichment

Updated: 2026-02-02T17:07:42.488Z

cve-icon NVD

Status : Modified

Published: 2026-02-02T14:16:35.613

Modified: 2026-04-29T09:16:23.933

Link: CVE-2026-24070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses