Description

The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed in the functions "writeReceiptFile" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.

INFO

Published Date :

2026-03-26T10:55:54.603Z

Last Modified :

2026-04-03T05:33:07.150Z

Source :

SEC-VLab
AFFECTED PRODUCTS

The following products are affected by CVE-2026-24068 vulnerability.

Vendors Products
Vienna Symphonic Library
  • Vienna Assistant
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-24068.

URL Resource
http://seclists.org/fulldisclosure/2026/Apr/3 cve-icon
https://r.sec-consult.com/vsl cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact