{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23988", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-19T18:49:20.657Z", "datePublished": "2026-01-22T21:52:26.925Z", "dateUpdated": "2026-01-23T20:13:25.446Z"}, "containers": {"cna": {"title": "Rufus has Local Privilege Escalation via TOCTOU Race Condition in Fido Script Handling", "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9"}, {"name": "https://github.com/pbatard/rufus/commit/460cc5768aa45be07941b9e4ebc9bee02d282873", "tags": ["x_refsource_MISC"], "url": "https://github.com/pbatard/rufus/commit/460cc5768aa45be07941b9e4ebc9bee02d282873"}, {"name": "https://github.com/pbatard/rufus/releases/tag/v4.12_BETA", "tags": ["x_refsource_MISC"], "url": "https://github.com/pbatard/rufus/releases/tag/v4.12_BETA"}], "affected": [{"vendor": "pbatard", "product": "rufus", "versions": [{"version": "< 4.12_BETA", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T21:52:26.925Z"}, "descriptions": [{"lang": "en", "value": "Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA."}], "source": {"advisory": "GHSA-hcx5-hrhj-xhq9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T20:13:16.085068Z", "id": "CVE-2026-23988", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T20:13:25.446Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23988", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-23T20:13:16.085068Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T20:13:21.818Z"}}], "cna": {"title": "Rufus has Local Privilege Escalation via TOCTOU Race Condition in Fido Script Handling", "source": {"advisory": "GHSA-hcx5-hrhj-xhq9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pbatard", "product": "rufus", "versions": [{"status": "affected", "version": "< 4.12_BETA"}]}], "references": [{"url": "https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9", "name": "https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pbatard/rufus/commit/460cc5768aa45be07941b9e4ebc9bee02d282873", "name": "https://github.com/pbatard/rufus/commit/460cc5768aa45be07941b9e4ebc9bee02d282873", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/pbatard/rufus/releases/tag/v4.12_BETA", "name": "https://github.com/pbatard/rufus/releases/tag/v4.12_BETA", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T21:52:26.925Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23988", "state": "PUBLISHED", "dateUpdated": "2026-01-23T20:13:25.446Z", "dateReserved": "2026-01-19T18:49:20.657Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-22T21:52:26.925Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:akeo:rufus:*:*:*:*:*:*:*:*", "matchCriteriaId": "FFBED744-9C21-4139-98DB-E44AC10397E0", "versionEndExcluding": "4.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA."}], "id": "CVE-2026-23988", "lastModified": "2026-02-27T14:36:16.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-22T22:16:21.193", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pbatard/rufus/commit/460cc5768aa45be07941b9e4ebc9bee02d282873"}, {"source": "security-advisories@github.com", "tags": ["Broken Link"], "url": "https://github.com/pbatard/rufus/releases/tag/v4.12_BETA"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T03:34:46.184474+00:00", "value": {"mitigation_remediation": ["Upgrade to Rufus version 4.12_BETA or later to address the race condition.", "If an upgrade is not immediately possible, modify the permissions on the %TEMP% directory so that standard users cannot write to it while Rufus is running, thereby preventing script replacement.", "Consider disabling the automatic execution of Fido PowerShell scripts or running Rufus with the least privilege required for your environment to reduce the risk of inadvertent code execution."], "summary": {"action": "Immediate Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Rufus utility developed by pbatard. Versions 4.11 and earlier are impacted. A patch is available in Rufus version 4.12_BETA and later.", "description_and_impact": "A time\u2011of\u2011check to time\u2011of\u2011use (TOCTOU) race condition exists in the Fido PowerShell script handling routine within Rufus. The program writes the script to the user\u2019s %TEMP% directory while running with elevated Administrator privileges, but does not lock the file. A local user with write access to that directory can replace the script before Rufus executes it, allowing the attacker to run arbitrary code as Administrator. This flaw permits privilege escalation and code execution without any network involvement.", "risk_and_exploitability": "The CVSS score of 7.3 signifies a high severity rating. The EPSS score of less than 1% indicates a very low probability of exploitation under current public data, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires a local attacker who can run Rufus with administrator privileges on the target machine. Because the flaw occurs during script creation and execution on the local filesystem, it is not remotely exploitable but can be triggered by anyone with physical access or terminal access to the device."}}}}, "created": "2026-01-23T10:27:06.945065+00:00", "updated": "2026-04-18T03:45:21.072958+00:00", "vendors": ["pbatard", "pbatard$PRODUCT$rufus"]}