CVE-2026-2638 | THREATINT

Description

A vulnerability in the quarantine and restore workflow of the X-VPN macOS website versions 77.0 through 77.5 allow a local attacker to leverage a race condition and symlink manipulation to achieve privileged file corruption.

PUBLISHED Reserved 2026-02-17 | Published 2026-06-09 | Updated 2026-06-09 | Assigner Fluid Attacks

HIGH: 7.3CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

Product status

Default status

unaffected

77.0 (custom)

affected

Credits

Oscar Uribe finder

References

fluidattacks.com/es/advisories/soad exploit

fluidattacks.com/es/advisories/soad third-party-advisory

xvpn.io/...tatement-local-privilege-escalation-vulnerability vendor-advisory

xvpn.io/download/vpn-mac patch

xvpn.io/ product

cve.org (CVE-2026-2638)

nvd.nist.gov (CVE-2026-2638)

Download JSON