CVE-2026-24067

CVE-2026-24067: Slate Digital Connect macOS XPC PID validation privilege escalation

Vendor Slate Digital Llc
Product Slate Digital Connect
Weakness CWE-367
Published June 10, 2026
Last update June 10, 2026

CVSS base score

What the vulnerability does

01Description

Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by obtaining the client's process identifier and using it to retrieve code-signing information for the process. This PID-based client validation is subject to a time-of-check time-of-use race condition because process identifiers can be reused. A local attacker can exploit PID reuse so that validation is performed against a trusted process instead of the original connecting process. This allows unauthorized access to privileged helper functionality and may lead to local privilege escalation.

Key dates

02Disclosure timeline

June 10, 2026 CVE published
June 10, 2026 Record updated