{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-24071","assignerOrgId":"551230f0-3615-47bd-b7cc-93e92e730bbf","state":"PUBLISHED","assignerShortName":"SEC-VLab","dateReserved":"2026-01-21T11:29:19.854Z","datePublished":"2026-02-02T13:23:51.846Z","dateUpdated":"2026-02-03T14:42:22.938Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unknown","platforms":["MacOS"],"product":"Native Access","vendor":"Native Instruments","versions":[{"status":"affected","version":"verified up to 3.22.0"}]}],"credits":[{"lang":"en","type":"finder","value":"Florian Haselsteiner, SEC Consult Vulnerability Lab"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"It was found that the XPC service offered by the privileged helper of Native Access  uses the PID of the connecting client to verify its code signature. This is considered insecure and can be exploited by PID reuse attacks.&nbsp;The connection handler function uses _xpc_connection_get_pid(arg2) as argument for the hasValidSignature function. This value can not be trusted since it is vulnerable to PID reuse attacks.<br>"}],"value":"It was found that the XPC service offered by the privileged helper of Native Access  uses the PID of the connecting client to verify its code signature. This is considered insecure and can be exploited by PID reuse attacks. The connection handler function uses _xpc_connection_get_pid(arg2) as argument for the hasValidSignature function. This value can not be trusted since it is vulnerable to PID reuse attacks."}],"impacts":[{"capecId":"CAPEC-29","descriptions":[{"lang":"en","value":"CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-367","description":"CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"551230f0-3615-47bd-b7cc-93e92e730bbf","shortName":"SEC-VLab","dateUpdated":"2026-02-02T13:23:51.846Z"},"references":[{"tags":["third-party-advisory"],"url":"https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-native-instruments-native-access-macos/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>The vendor was unreachable and did not respond to multiple contact attempts. No patch is available. Customers should contact the vendor and request a patch.</p>"}],"value":"The vendor was unreachable and did not respond to multiple contact attempts. No patch is available. Customers should contact the vendor and request a patch."}],"source":{"discovery":"EXTERNAL"},"title":"XPC Client Validation via PID leading to Local Privilege Escalation in Native Instruments Native Access","x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"CHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"HIGH","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-02-02T17:08:50.317360Z","id":"CVE-2026-24071","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-03T14:42:22.938Z"}}]}}