HIGH
Vienna Symphonic Library GmbH
CVE published 2026-03-26
CVE-2026-24068
A macOS privileged helper tool (VSL) fails to validate XPC client connections in its `shouldAcceptNewConnection` handler, allowing any process to connect and invoke `writeReceiptFile` and `runUninstaller` endpoints without authorization. These endpoints permit arbitrary file writes and command execution with elevated privileges, resulting in local privilege escalation.