CVE-2026-24067

Published Jun 10, 2026

Last updated 4 days ago

CVSS high 8.4

Overview

Description
Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by obtaining the client's process identifier and using it to retrieve code-signing information for the process. This PID-based client validation is subject to a time-of-check time-of-use race condition because process identifiers can be reused. A local attacker can exploit PID reuse so that validation is performed against a trusted process instead of the original connecting process. This allows unauthorized access to privileged helper functionality and may lead to local privilege escalation.
Source
551230f0-3615-47bd-b7cc-93e92e730bbf
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.4
Impact score
5.9
Exploitability score
2.5
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

551230f0-3615-47bd-b7cc-93e92e730bbf
CWE-367

Social media

Hype score
Not currently trending

  1. 『The vendor was unresponsive since January 2026 and a patch is not available.』😵 CVE-2026-24066, CVE-2026-24067 Local Privilege Escalation in Slate Digital Connect (macOS) https://t.co/KXq0XEO9u4

    @autumn_good_35

    10 Jun 2026

    257 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.