CVE-2026-0924 – BuhoCleaner version 1.15.2 contains an insecure... (How to Fix)

Q: What is the severity of CVE-2026-0924?

CVE-2026-0924 has a CVSS score of N/A (Unknown). BuhoCleaner version 1.15.2 contains an insecure XPC service that allows local, unprivileged users to execute arbitrary code with root privileges. This vulnerability affects all users running the vulnerable version of BuhoCleaner on macOS systems.

📋 TL;DR

BuhoCleaner version 1.15.2 contains an insecure XPC service that allows local, unprivileged users to execute arbitrary code with root privileges. This vulnerability affects all users running the vulnerable version of BuhoCleaner on macOS systems.

💻 Affected Systems

Products:

BuhoCleaner

Versions: 1.15.2

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of BuhoCleaner 1.15.2 are vulnerable by default. The XPC service runs with elevated privileges.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root access to the system, enabling complete compromise, data theft, persistence mechanisms, and lateral movement.

🟠

Likely Case

Malicious local user or malware escalates privileges to install additional payloads, modify system files, or bypass security controls.

🟢

If Mitigated

Attack limited to users with local access; proper privilege separation and monitoring could detect unusual privilege escalation attempts.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to exploit.

🏢 Internal Only: HIGH - Any user with local access (including compromised accounts or malware) can exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local user access but is straightforward to execute once local access is obtained. The advisory from Fluid Attacks provides technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.drbuho.com/buhocleaner

Restart Required: No

Instructions:

1. Check vendor website for updated version. 2. Uninstall BuhoCleaner 1.15.2. 3. Install patched version if available. 4. Monitor vendor communications for security updates.

🔧 Temporary Workarounds

Uninstall BuhoCleaner

macOS

Remove the vulnerable software to eliminate the attack surface

sudo rm -rf /Applications/BuhoCleaner.app
sudo rm -rf ~/Library/Application\ Support/BuhoCleaner
sudo rm -rf ~/Library/Preferences/com.drbuho.BuhoCleaner.plist

Restrict XPC Service Execution

macOS

Use macOS privacy controls to restrict the vulnerable XPC service

🧯 If You Can't Patch

Remove BuhoCleaner from all systems immediately
Implement strict local access controls and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if BuhoCleaner version 1.15.2 is installed: ls /Applications/ | grep BuhoCleaner and check version in app info

Check Version:

Check app version in Finder Get Info or run: mdls -name kMDItemVersion /Applications/BuhoCleaner.app

Verify Fix Applied:

Verify BuhoCleaner is either removed or updated to a version later than 1.15.2

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation events
XPC service abuse logs
Process execution with unexpected root privileges

Network Indicators:

Local privilege escalation typically has minimal network indicators

SIEM Query:

process where parent_process_name contains "BuhoCleaner" and user_id changes from non-root to root

📊 Metadata

CVE ID: CVE-2026-0924

CVSS v3 Score: N/A (Unknown)

CWE: CWE-362

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy