CVE-2026-40604 Overview
CVE-2026-40604 is a protection mechanism failure vulnerability in ClearanceKit, a macOS file-system access control utility. The vulnerability exists in the opfilter Endpoint Security system extension (bundle ID uk.craigbass.clearancekit.opfilter), which can be suspended or terminated using standard Unix signals by any process running with root privileges. When the extension is suspended via SIGSTOP or kill -STOP, or killed with SIGKILL/SIGTERM, all AUTH Endpoint Security events time out and default to allow, effectively disabling ClearanceKit's file-access policy enforcement.
Critical Impact
Any root-level process can silently disable ClearanceKit's file-access policy enforcement by suspending the security extension, allowing unauthorized file system access during the suspension period.
Affected Products
- ClearanceKit versions prior to 5.0.6
- ClearanceKit opfilter Endpoint Security system extension (uk.craigbass.clearancekit.opfilter)
- macOS systems running vulnerable ClearanceKit versions
Discovery Timeline
- 2026-04-21 - CVE-2026-40604 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40604
Vulnerability Analysis
This vulnerability represents a protection mechanism failure (CWE-693) in ClearanceKit's endpoint security architecture. The core issue lies in how the macOS Endpoint Security framework handles AUTH events when the subscribing extension becomes unresponsive or is terminated.
When the opfilter system extension is suspended using process control signals, it can no longer respond to AUTH events within the framework's timeout window. The Endpoint Security framework implements a fail-open behavior where unhandled AUTH events default to allow after timing out. This design decision, while preventing system lockups from unresponsive extensions, creates a security bypass opportunity.
An attacker who has obtained root privileges on a macOS system can leverage this vulnerability to temporarily disable all file-access policy enforcement without generating alerts or requiring modification of security configurations. The attack is particularly concerning because it leaves no persistent artifacts and can be precisely timed to coincide with malicious file system operations.
Root Cause
The root cause is the lack of signal handling protection for the opfilter Endpoint Security system extension. The extension does not implement proper safeguards against process control signals that would suspend or terminate its execution. Combined with the Endpoint Security framework's default-to-allow timeout behavior for AUTH events, this creates a complete bypass of file-access controls.
Additionally, macOS allows any root-level process to send signals to system extensions, as there is no additional protection layer preventing signal delivery to security-critical components.
Attack Vector
The attack vector requires local access with root privileges. An attacker with root access can execute a straightforward attack sequence:
- Identify the process ID of the ClearanceKit opfilter extension
- Send a SIGSTOP signal to suspend the extension process
- Perform unauthorized file system operations while AUTH events default to allow
- Optionally resume the extension with SIGCONT or allow it to remain suspended
The local attack vector combined with the requirement for high privileges means an attacker must first compromise the system to root level. However, once that threshold is crossed, this vulnerability provides a clean method to bypass file-access controls without modifying security policies or leaving configuration changes as evidence.
Detection Methods for CVE-2026-40604
Indicators of Compromise
- Unusual SIGSTOP, SIGKILL, or SIGTERM signals sent to the opfilter process
- Gaps in ClearanceKit logging or file-access audit trails
- Process status changes for uk.craigbass.clearancekit.opfilter showing stopped or terminated states
- Suspicious file system activity occurring during periods when the extension was not responsive
Detection Strategies
- Monitor process state changes for the ClearanceKit opfilter extension using process auditing
- Implement signal delivery monitoring for security-critical system extensions
- Configure endpoint detection to alert on root-level processes sending control signals to security extensions
- Enable audit logging for the Endpoint Security framework to detect timeout events
Monitoring Recommendations
- Deploy SentinelOne agents to monitor for process manipulation of security extensions
- Establish baseline behavior for the opfilter extension and alert on deviations
- Implement heartbeat monitoring for critical security components with alerting on unresponsiveness
- Correlate file system access events with security extension availability to identify exploitation windows
How to Mitigate CVE-2026-40604
Immediate Actions Required
- Upgrade ClearanceKit to version 5.0.6 or later immediately
- Audit systems for evidence of past exploitation by reviewing process signal logs
- Implement additional monitoring for security extension process states
- Review root-level access on systems running ClearanceKit to minimize attack surface
Patch Information
The vulnerability is fixed in ClearanceKit version 5.0.6. According to the GitHub Security Advisory, this version addresses the signal handling vulnerability in the opfilter Endpoint Security system extension. Organizations should prioritize upgrading to this version to restore proper security controls.
Workarounds
- Restrict root-level access to minimize the pool of potential attackers who could exploit this vulnerability
- Implement compensating controls such as additional file integrity monitoring solutions
- Deploy SentinelOne endpoint protection to provide defense-in-depth against malicious file system operations
- Consider network segmentation for systems where immediate patching is not feasible
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
