Description
A vulnerability in the quarantine and restore workflow of the X-VPN macOS website versions 77.0 through 77.5 allow a local attacker to leverage a race condition and symlink manipulation to achieve privileged file corruption.
Published: 2026-06-09
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the quarantine and restore workflow of the X‑VPN macOS website allows a local attacker to create or manipulate a symbolic link during concurrent file operations. By exploiting this timing gap the attacker can overwrite privileged files, effectively achieving privilege escalation and compromising system integrity. The CVSS score of 7.3 indicates a high severity of the flaw.

Affected Systems

The vulnerability applies to X‑VPN’s macOS website versions 77.0 through 77.5. The affected product is known as X‑VPN macOS website and is distributed by the vendor X‑VPN.

Risk and Exploitability

The flaw is local in nature and requires the attacker to have access to the user’s machine to influence the quarantine/restore workflow. EPSS data is unavailable and the issue is not listed in CISA’s Known Exploited Vulnerabilities catalog, suggesting no known widespread exploitation at present. Nonetheless, given the high CVSS score, an unpatched system is at significant risk if a local user can trigger the race condition, and the attacker can modify critical system files through symlink manipulation.

Generated by OpenCVE AI on June 9, 2026 at 13:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the X‑VPN macOS website to a non‑affected version, for example 77.6 or later. This is the only official fix provided by the vendor.
  • Restrict permissions on the quarantine and restore directories so that only trusted processes can create or modify files within them. Limiting write access reduces the window for symlink abuse.
  • Implement additional programmatic checks against unintended symlink creation or use a filesystem level lock to serialize access to shared resources, mitigating the race condition underlying the flaw.

Generated by OpenCVE AI on June 9, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description A vulnerability in the quarantine and restore workflow of the X-VPN macOS website versions 77.0 through 77.5 allow a local attacker to leverage a race condition and symlink manipulation to achieve privileged file corruption.
Title X-VPN macOS website versions - Local Privilege Escalation
First Time appeared X-vpn
X-vpn x-vpn Macos Website
Weaknesses CWE-367
CPEs cpe:2.3:a:x-vpn:x-vpn_macos_website:*:*:macos:*:*:*:*:*
Vendors & Products X-vpn
X-vpn x-vpn Macos Website
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

X-vpn X-vpn Macos Website
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-09T13:50:29.937Z

Reserved: 2026-02-17T19:47:28.172Z

Link: CVE-2026-2638

cve-icon Vulnrichment

Updated: 2026-06-09T13:50:26.560Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T13:16:35.680

Modified: 2026-06-09T14:16:38.260

Link: CVE-2026-2638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:21:04Z

Weaknesses