CVE-2026-24064: Waves Central macOS Privilege Escalation (CVSS 7.8)
Waves Central for macOS has a serious local privilege escalation flaw in versions 13.0.9 through 16.5.5. An attacker with access to a user account on an affected Mac can inject malicious code into a trusted Waves process by manipulating how the system loads libraries, then escalate to root privileges. This vulnerability is fixed in version 16.6.2 and should be treated as urgent by any organization running Waves audio production software on macOS.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-426
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLD_INSERT_LIBRARIES environment variable to inject an attacker-controlled dynamic library into the trusted client process at launch. The injected code runs within the signed process and can connect to the product's privileged helper service to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from an XPC client component in Waves Central that is signed with hardened runtime entitlements but does not prevent dynamic library injection. An attacker can exploit DYLD_INSERT_LIBRARIES environment variable injection to load an attacker-controlled dynamic library into the trusted, signed process at launch time. Because the injected code executes within the context of the hardened runtime process, it gains the ability to communicate with Waves Central's privileged helper service and invoke privileged operations, ultimately achieving arbitrary code execution with root-level privileges.
Business impact
Organizations deploying Waves Central on macOS infrastructure—particularly those in audio production, post-production, and media workflows—face elevated risk. Any local user on an affected machine can escalate to root and compromise the entire system, potentially affecting sensitive content, intellectual property, and downstream production pipelines. Remediation requires immediate patching to version 16.6.2 to eliminate the attack surface.
Affected systems
Waves Central for macOS versions 13.0.9 through 16.5.5 are vulnerable. Version 16.6.2 and later are not affected. Systems running versions outside this range are not impacted by this specific flaw. Verify your installed version via Waves Central's About or Help menu.
Exploitability
This vulnerability has a low attack complexity and requires only user-level privileges to trigger; no user interaction is needed. Any local account on the machine can exploit it. However, it does require local access, limiting exploitation to insider threats, supply-chain compromises, or scenarios where an attacker has already achieved initial access to the system. The attack is straightforward from a technical perspective and does not depend on defeating additional hardening measures.
Remediation
Update Waves Central to version 16.6.2 or later. This is a mandatory update for all users running affected versions. No workarounds exist that eliminate the root cause. After patching, verify the new version is active and no legacy processes are still running the vulnerable code.
Patch guidance
Download and install Waves Central version 16.6.2 or later from the official Waves website or through Waves' in-application update mechanism. Test the update in a non-critical environment first if possible to ensure compatibility with your audio workflows and dependent plugins. After installation, restart any running Waves applications and verify the version number to confirm successful deployment.
Detection guidance
Monitor for exploitation attempts by logging processes launched with DYLD_INSERT_LIBRARIES set, unusual child processes spawned by Waves Central components, and unexpected root-level process creation. Query installed Waves Central versions via software inventory tools or command-line version checks (e.g., `defaults read` for application bundles). Look for evidence of privilege escalation in system logs and audit trails following suspicious Waves process execution.
Why prioritize this
This vulnerability combines high-impact privilege escalation with low exploitation friction. The CVSS 3.1 score of 7.8 (HIGH) reflects the severity: arbitrary code execution as root from a low-privileged account. Although the KEV catalog has not yet flagged this vulnerability, the straightforward nature of the exploit, the maturity of the underlying DYLD injection technique, and the broad deployment of Waves Central in creative industries warrant urgent prioritization. Any local access scenario should be treated as a potential attack vector.
Risk score, explained
The CVSS 3.1 score of 7.8 reflects Attack Vector: Local, Attack Complexity: Low, Privileges Required: Low, User Interaction: None, and impact to Confidentiality, Integrity, and Availability all High. The vulnerability is not ranked as Critical because it requires local access; however, the complete lack of friction in exploitation and the severity of the impact (root code execution) justify the HIGH rating. Organizations should treat this as equivalent to a critical flaw in their risk models.
Frequently asked questions
I use Waves Central on my Mac but only for occasional mixing. Do I still need to patch immediately?
Yes. Even occasional use puts your system at risk if you share the Mac with other users or if the machine is ever exposed to untrusted parties. A local attacker needs only seconds to inject the malicious library, and there is no user-facing prompt or interaction required. Patch as soon as practical.
Are Waves plugins on Windows affected by this vulnerability?
No. This vulnerability is specific to Waves Central for macOS and exploits macOS-specific mechanisms (DYLD_INSERT_LIBRARIES, XPC, hardened runtime). Windows systems are not affected. However, if you run Waves Central on both platforms, update the macOS instances.
How can I check which version of Waves Central I have installed?
Launch Waves Central, open the menu (usually top-left or top-right depending on version), and select About or Help. The version number will be displayed. You need 16.6.2 or later. If you are unsure, contact Waves support or check your application folder's Info.plist file.
If I disable Waves Central completely, am I safe?
Yes, disabling or uninstalling Waves Central removes the vulnerable component and eliminates this specific attack vector. However, if you rely on Waves plugins in your DAW, you will lose access to them. Patching to 16.6.2 is the recommended path to maintain functionality and security.
This analysis is based on the vulnerability description and available metadata as of the publication date. Verify all version numbers, patch availability, and applicability against the official Waves website and vendor advisories before deploying patches. Testing in non-production environments is strongly recommended. SEC.co makes no guarantee of exploit availability, real-world attack prevalence, or timeline to weaponization. Organizations should conduct their own risk assessment based on asset inventory, exposure, and business criticality. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11400HIGHAWS Advanced JDBC Wrapper Privilege Escalation in Aurora PostgreSQL
- CVE-2026-11401HIGHAurora PostgreSQL Privilege Escalation via Untrusted Search Path in AWS Advanced Go Wrapper
- CVE-2016-20062HIGHSQL Injection in Simply Poll 1.4.1 WordPress Plugin - Unauthenticated Data Theft
- CVE-2016-20063HIGHSQL Injection in Single Personal Message 1.0.3 – Credential & Data Theft Risk
- CVE-2016-20065HIGHUnauthenticated SQL Injection in Product Catalog 8 WordPress Plugin
- CVE-2017-20243HIGHWordPress Car Park Booking Plugin SQL Injection Vulnerability
- CVE-2017-20244HIGHSQL Injection in Wow Forms WordPress Plugin v2.1 – Critical Unauth Database Extraction
- CVE-2017-20245HIGHWow Viral Signups Plugin SQL Injection Vulnerability – Analysis & Patches