The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0924

CVE-2026-0924: BuhoCleaner Privilege Escalation Flaw

CVE-2026-0924 is a privilege escalation vulnerability in BuhoCleaner that allows local users to gain root access through an insecure XPC service. This article covers technical details, affected versions, and mitigation.

Published: February 6, 2026

CVE-2026-0924 Overview

CVE-2026-0924 is a local privilege escalation vulnerability in BuhoCleaner, a macOS system cleaning utility. The application contains an insecure XPC (Cross-Process Communication) service that allows local, unprivileged users to escalate their privileges to root through the exploitation of insecure functions. This vulnerability enables attackers with local access to gain complete control over affected macOS systems.

Critical Impact

Local attackers can escalate from unprivileged user to root access, potentially leading to complete system compromise, data theft, malware installation, and persistent backdoor access on affected macOS systems.

Affected Products

  • BuhoCleaner version 1.15.2
  • macOS systems running vulnerable BuhoCleaner installations
  • Systems with the insecure XPC service active

Discovery Timeline

  • 2026-02-02 - CVE-2026-0924 published to NVD
  • 2026-02-03 - Last updated in NVD database

Technical Details for CVE-2026-0924

Vulnerability Analysis

This vulnerability stems from improper security controls in BuhoCleaner's XPC service implementation. XPC is Apple's inter-process communication mechanism that allows different processes to communicate with each other on macOS. When properly implemented, XPC services should validate the identity and authorization of connecting clients before performing privileged operations.

The vulnerability is classified under CWE-362 (Race Condition), indicating that the exploitation may involve timing-related issues in how the XPC service handles requests. This could allow an attacker to manipulate the service's state between security checks and privileged operations, a classic Time-of-Check to Time-of-Use (TOCTOU) pattern.

The local attack vector requires the attacker to have initial access to the target system, but the low privilege requirements mean any unprivileged local user can potentially exploit this vulnerability. The successful exploitation results in high impact to confidentiality, integrity, and availability, as the attacker gains root-level access.

Root Cause

The root cause of this vulnerability lies in the insecure implementation of the XPC service within BuhoCleaner. The application exposes privileged functionality through its XPC service without adequate validation of the calling process's authorization or identity. Combined with a race condition vulnerability (CWE-362), the service fails to properly synchronize security-critical operations, allowing attackers to exploit the timing gap between authorization checks and privileged action execution.

This is a common pattern in macOS privilege escalation vulnerabilities where helper tools running with elevated privileges fail to properly verify that requests originate from legitimate, authorized sources.

Attack Vector

The attack leverages the insecure XPC service by connecting to it from an unprivileged user context. The attacker can exploit the race condition by carefully timing malicious requests to bypass security checks. Since the XPC service runs with root privileges to perform system cleaning operations, successful exploitation grants the attacker root access to the system.

An attacker would typically craft a malicious application or script that connects to the BuhoCleaner XPC service and sends specially crafted messages to trigger the insecure functions. By exploiting the race condition, the attacker can manipulate the service into performing privileged operations on their behalf.

For technical details on the vulnerability mechanics, see the Fluid Attacks Security Advisory.

Detection Methods for CVE-2026-0924

Indicators of Compromise

  • Unexpected connections to BuhoCleaner's XPC service from non-BuhoCleaner processes
  • Unusual privilege escalation events correlating with XPC service activity
  • New root-level processes spawned following interactions with the BuhoCleaner helper
  • Suspicious process trees showing unprivileged users executing root commands through XPC mechanisms

Detection Strategies

  • Monitor XPC service connections using macOS Endpoint Security Framework for unauthorized client processes
  • Implement behavioral detection for privilege escalation patterns involving system utility helper tools
  • Alert on unexpected root shell spawns or privilege changes following XPC service interactions
  • Deploy SentinelOne's real-time behavioral AI to detect exploitation attempts targeting local privilege escalation

Monitoring Recommendations

  • Enable comprehensive logging for XPC service connections and privileged operations
  • Monitor /Library/PrivilegedHelperTools/ directory for suspicious helper tool activity
  • Track process ancestry to identify privilege escalation chains originating from XPC services
  • Implement file integrity monitoring on BuhoCleaner installation directories

How to Mitigate CVE-2026-0924

Immediate Actions Required

  • Identify all systems running BuhoCleaner version 1.15.2 and prioritize them for remediation
  • Consider temporarily uninstalling BuhoCleaner until a patched version is available
  • Restrict local user access to systems where the vulnerable application is installed
  • Implement application allowlisting to prevent unauthorized exploitation tools from executing

Patch Information

Users should check the Dr. Buho official website for updates and security patches addressing this vulnerability. Monitor the Fluid Attacks Security Advisory for updated remediation guidance. Update to the latest available version of BuhoCleaner once a fix is released.

Workarounds

  • Uninstall BuhoCleaner until a security patch is available to eliminate the attack surface
  • Disable or remove the privileged helper tool associated with BuhoCleaner if the application is not critical
  • Implement strict local user access controls to limit who can interact with the vulnerable XPC service
  • Deploy endpoint detection and response (EDR) solutions like SentinelOne to detect and block exploitation attempts
bash
# Identify BuhoCleaner installation and helper tools
ls -la /Applications/BuhoCleaner.app
ls -la /Library/PrivilegedHelperTools/ | grep -i buho

# Check running BuhoCleaner processes
ps aux | grep -i buho

# Remove BuhoCleaner helper tool (if uninstalling)
sudo rm -rf /Library/PrivilegedHelperTools/com.drbuho.*

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechBuho Cleaner
  • SeverityHIGH
  • CVSS Score7.3
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-362
  • Technical References
  • Fluid Attacks Security Advisory
  • Dr. Buho Tool Overview
  • Dr. Buho Tool Download
  • Latest CVEs
  • CVE-2025-70797: LimeSurvey XSS Vulnerability
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-35471: Goshs Path Traversal Vulnerability
  • CVE-2026-35393: Goshs Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English