CVE-2026-24068 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: March 26, 2026
VSL privileged helper - Broken Access Control
Published: March 26, 2026Updated: March 26, 2026Remote Exploitable
Overview
VSL privileged helper contains a broken access control caused by missing client validation in NSXPC 'shouldAcceptNewConnection' function, letting any process write files or execute commands, exploit requires no special privileges.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Any process can write arbitrary files and execute commands, leading to full privilege escalation on the system.
Mitigation
Update to the latest version with proper NSXPC client validation.
References
Related Resources
Details
- CVE ID
- CVE-2026-24068
- Severity
- High
- CVSS Score
- 8.8
- Type
- broken_access_control
- Status
- unconfirmed
CWE
- CWE-306
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H