CVE-2026-24071 (GCVE-0-2026-24071)

Vulnerability from cvelistv5 – Published: 2026-02-02 13:23 – Updated: 2026-02-03 14:42
VLAI?
Title
XPC Client Validation via PID leading to Local Privilege Escalation in Native Instruments Native Access
Summary
It was found that the XPC service offered by the privileged helper of Native Access uses the PID of the connecting client to verify its code signature. This is considered insecure and can be exploited by PID reuse attacks. The connection handler function uses _xpc_connection_get_pid(arg2) as argument for the hasValidSignature function. This value can not be trusted since it is vulnerable to PID reuse attacks.
Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
Impacted products
Vendor Product Version
Native Instruments Native Access Affected: verified up to 3.22.0
Create a notification for this product.
Credits
Florian Haselsteiner, SEC Consult Vulnerability Lab
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-24071",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-02T17:08:50.317360Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T14:42:22.938Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "platforms": [
            "MacOS"
          ],
          "product": "Native Access",
          "vendor": "Native Instruments",
          "versions": [
            {
              "status": "affected",
              "version": "verified up to 3.22.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Florian Haselsteiner, SEC Consult Vulnerability Lab"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "It was found that the XPC service offered by the privileged helper of Native Access  uses the PID of the connecting client to verify its code signature. This is considered insecure and can be exploited by PID reuse attacks.\u0026nbsp;The connection handler function uses _xpc_connection_get_pid(arg2) as argument for the hasValidSignature function. This value can not be trusted since it is vulnerable to PID reuse attacks.\u003cbr\u003e"
            }
          ],
          "value": "It was found that the XPC service offered by the privileged helper of Native Access  uses the PID of the connecting client to verify its code signature. This is considered insecure and can be exploited by PID reuse attacks.\u00a0The connection handler function uses _xpc_connection_get_pid(arg2) as argument for the hasValidSignature function. This value can not be trusted since it is vulnerable to PID reuse attacks."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-29",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-02T13:23:51.846Z",
        "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "shortName": "SEC-VLab"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-native-instruments-native-access-macos/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe vendor was unreachable and did not respond to multiple contact attempts. No patch is available. Customers should contact the vendor and request a patch.\u003c/p\u003e"
            }
          ],
          "value": "The vendor was unreachable and did not respond to multiple contact attempts. No patch is available. Customers should contact the vendor and request a patch."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "XPC Client Validation via PID leading to Local Privilege Escalation in Native Instruments Native Access",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
    "assignerShortName": "SEC-VLab",
    "cveId": "CVE-2026-24071",
    "datePublished": "2026-02-02T13:23:51.846Z",
    "dateReserved": "2026-01-21T11:29:19.854Z",
    "dateUpdated": "2026-02-03T14:42:22.938Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-24071\",\"sourceIdentifier\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"published\":\"2026-02-02T14:16:35.753\",\"lastModified\":\"2026-02-03T16:44:36.630\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"It was found that the XPC service offered by the privileged helper of Native Access  uses the PID of the connecting client to verify its code signature. This is considered insecure and can be exploited by PID reuse attacks.\u00a0The connection handler function uses _xpc_connection_get_pid(arg2) as argument for the hasValidSignature function. This value can not be trusted since it is vulnerable to PID reuse attacks.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-367\"}]}],\"references\":[{\"url\":\"https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-native-instruments-native-access-macos/\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24071\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-02T17:08:50.317360Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-02T17:01:49.245Z\"}}], \"cna\": {\"title\": \"XPC Client Validation via PID leading to Local Privilege Escalation in Native Instruments Native Access\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Florian Haselsteiner, SEC Consult Vulnerability Lab\"}], \"impacts\": [{\"capecId\": \"CAPEC-29\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions\"}]}], \"affected\": [{\"vendor\": \"Native Instruments\", \"product\": \"Native Access\", \"versions\": [{\"status\": \"affected\", \"version\": \"verified up to 3.22.0\"}], \"platforms\": [\"MacOS\"], \"defaultStatus\": \"unknown\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The vendor was unreachable and did not respond to multiple contact attempts. No patch is available. Customers should contact the vendor and request a patch.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe vendor was unreachable and did not respond to multiple contact attempts. No patch is available. Customers should contact the vendor and request a patch.\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-native-instruments-native-access-macos/\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"It was found that the XPC service offered by the privileged helper of Native Access  uses the PID of the connecting client to verify its code signature. This is considered insecure and can be exploited by PID reuse attacks.\\u00a0The connection handler function uses _xpc_connection_get_pid(arg2) as argument for the hasValidSignature function. This value can not be trusted since it is vulnerable to PID reuse attacks.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"It was found that the XPC service offered by the privileged helper of Native Access  uses the PID of the connecting client to verify its code signature. This is considered insecure and can be exploited by PID reuse attacks.\u0026nbsp;The connection handler function uses _xpc_connection_get_pid(arg2) as argument for the hasValidSignature function. This value can not be trusted since it is vulnerable to PID reuse attacks.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-367\", \"description\": \"CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition\"}]}], \"providerMetadata\": {\"orgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"shortName\": \"SEC-VLab\", \"dateUpdated\": \"2026-02-02T13:23:51.846Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-24071\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-03T14:42:22.938Z\", \"dateReserved\": \"2026-01-21T11:29:19.854Z\", \"assignerOrgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"datePublished\": \"2026-02-02T13:23:51.846Z\", \"assignerShortName\": \"SEC-VLab\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.