A high-severity Local Privilege Escalation (LPE) vulnerability, tracked as CVE-2026-24068, has been discovered in Vienna Assistant for MacOS, a tool by Vienna Symphonic Library. The flaw stems from missing validation in the XPC client and NSXPC endpoints within the VSL privileged helper tool. Specifically, the shouldAcceptNewConnection function fails to verify connecting clients, allowing any local process to interact with the service.
Attackers can exploit this lack of validation to call functions such as writeReceiptFile and runUninstaller. This enables unauthorized users to write files to arbitrary locations or execute commands with root privileges. Since the vendor has remained unresponsive to multiple communication attempts since January 2026, no patch is currently available. Users are advised to contact the vendor directly for a fix and exercise caution when using the software.
Top comments (0)