CVE-2026-24068
Published: 26 March 2026
Summary
CVE-2026-24068 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Sec Consult (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to privileged XPC listener functions, directly addressing the missing client validation in shouldAcceptNewConnection.
Ensures only authorized processes can invoke privileged helper functions like writeReceiptFile and runUninstaller, preventing privilege escalation from low-privilege attackers.
Validates inputs to exposed functions, mitigating arbitrary file writes and executions even if unauthorized access occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability description explicitly details missing authentication on a privileged XPC helper tool, directly enabling arbitrary file writes and execution to achieve privilege escalation from a low-privileged context (CWE-306).
NVD Description
The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients…
more
at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed in the functions "writeReceiptFile" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.
Deeper analysisAI
CVE-2026-24068 affects the VSL privileged helper, which utilizes NSXPC for inter-process communication on macOS. The vulnerability stems from the "shouldAcceptNewConnection" function in the NSXPC framework failing to validate connecting clients, allowing any process to establish a connection to the XPC listener using the configured protocol. This exposes all functions in the corresponding HelperToolProtocol, including "writeReceiptFile" and "runUninstaller", which perform no further validation on inputs or callers. The issue, classified under CWE-306 (Missing Authentication for Critical Function), was published on 2026-03-26 and carries a CVSS v3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability remotely due to its network accessibility. By connecting to the service as a malicious process, the attacker can invoke the unvalidated functions to write arbitrary files to any location on the filesystem or execute any file with arbitrary arguments. This directly enables privilege escalation from the attacker's initial low-privilege context.
Advisories providing further details, including potential mitigations, are available at https://r.sec-consult.com/vsl and http://seclists.org/fulldisclosure/2026/Apr/3.
Details
- CWE(s)