CVE-2026-26224

Intego Log Reporter, a macOS diagnostic utility bundled with Intego security products that collects system and application logs for support analysis, contains a local privilege escalation vulnerability. A root-executed diagnostic script creates and writes files in /tmp without enforcing secure directory handling, introducing a time-of-check to time-of-use (TOCTOU) race condition. A local unprivileged user can exploit a symlink-based race condition to cause arbitrary file writes to privileged system locations, resulting in privilege escalation to root.

CVSS

No CVSS.

References

Link	Resource
https://blog.quarkslab.com/intego_lpe_macos_1.html
https://blog.quarkslab.com/resources/2026-02-10_intego_1/40945709530779-How-to-Use-the-Intego-Log-Reporter.pdf
https://www.intego.com/
https://www.vulncheck.com/advisories/intego-log-reporter-toctou-local-privilege-escalation

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Intego Log Reporter, una utilidad de diagnóstico de macOS incluida con los productos de seguridad de Intego que recopila registros del sistema y de aplicaciones para análisis de soporte, contiene una vulnerabilidad de escalada de privilegios local. Un script de diagnóstico ejecutado como root crea y escribe archivos en /tmp sin aplicar un manejo seguro del directorio, introduciendo una condición de carrera de tiempo de verificación a tiempo de uso (TOCTOU). Un usuario local sin privilegios puede explotar una condición de carrera basada en symlink para causar escrituras de archivos arbitrarias en ubicaciones privilegiadas del sistema, lo que resulta en una escalada de privilegios a root.

12 Feb 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-12 22:16

Updated : 2026-04-15 00:35

NVD link : CVE-2026-26224

Mitre link : CVE-2026-26224

CVE.ORG link : CVE-2026-26224

JSON object : View

Products Affected

No product.

CWE

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

{"id": "CVE-2026-26224", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-12T22:16:07.320", "references": [{"url": "https://blog.quarkslab.com/intego_lpe_macos_1.html", "source": "disclosure@vulncheck.com"}, {"url": "https://blog.quarkslab.com/resources/2026-02-10_intego_1/40945709530779-How-to-Use-the-Intego-Log-Reporter.pdf", "source": "disclosure@vulncheck.com"}, {"url": "https://www.intego.com/", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/intego-log-reporter-toctou-local-privilege-escalation", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-367"}]}], "descriptions": [{"lang": "en", "value": "Intego Log Reporter, a macOS diagnostic utility bundled with Intego security products that collects system and application logs for support analysis, contains a local privilege escalation vulnerability. A root-executed diagnostic script creates and writes files in /tmp without enforcing secure directory handling, introducing a time-of-check to time-of-use (TOCTOU) race condition. A local unprivileged user can exploit a symlink-based race condition to cause arbitrary file writes to privileged system locations, resulting in privilege escalation to root."}, {"lang": "es", "value": "Intego Log Reporter, una utilidad de diagn\u00f3stico de macOS incluida con los productos de seguridad de Intego que recopila registros del sistema y de aplicaciones para an\u00e1lisis de soporte, contiene una vulnerabilidad de escalada de privilegios local. Un script de diagn\u00f3stico ejecutado como root crea y escribe archivos en /tmp sin aplicar un manejo seguro del directorio, introduciendo una condici\u00f3n de carrera de tiempo de verificaci\u00f3n a tiempo de uso (TOCTOU). Un usuario local sin privilegios puede explotar una condici\u00f3n de carrera basada en symlink para causar escrituras de archivos arbitrarias en ubicaciones privilegiadas del sistema, lo que resulta en una escalada de privilegios a root."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "disclosure@vulncheck.com"}