Cyber Resilience

CVE-2026-23988

HighPublic PoC

Published: 22 January 2026

Published
22 January 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23988 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Akeo Rufus. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2026-23988 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability, classified under CWE-367, affecting Rufus versions 4.11 and earlier. Rufus is a utility for formatting and creating bootable USB flash drives. The issue resides in the src/net.c component during the creation, validation, and execution of the Fido PowerShell script. With a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), the vulnerability arises because Rufus runs with elevated Administrator privileges but writes the script to the %TEMP% directory, which is writable by standard users, without properly locking the file.

A local attacker with low privileges can exploit this by replacing the legitimate PowerShell script with a malicious one in the %TEMP% directory between the write and execution steps, as Rufus does not prevent concurrent access. This requires the victim to run Rufus as Administrator, introducing a user interaction element. Successful exploitation enables arbitrary code execution with Administrator privileges, potentially leading to full system compromise.

The vulnerability has been addressed in Rufus version 4.12_BETA, as detailed in the project's GitHub security advisory (GHSA-hcx5-hrhj-xhq9), release notes, and the fixing commit (460cc5768aa45be07941b9e4ebc9bee02d282873). Security practitioners should advise users to update to 4.12_BETA or later and avoid running Rufus from untrusted environments.

EU & UK References

Vulnerability details

Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated…

more

privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.001 PowerShell Execution
Adversaries may abuse PowerShell commands and scripts for execution.
Why these techniques?

TOCTOU race condition in elevated Rufus process allows local low-priv replacement of Fido PowerShell script in %TEMP%, directly enabling privilege escalation via malicious script execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-53028Shared CWE-367
CVE-2026-41651Shared CWE-367
CVE-2026-41702Shared CWE-367
CVE-2026-27750Shared CWE-367
CVE-2026-21240Shared CWE-367
CVE-2026-45208Shared CWE-367
CVE-2024-45560Shared CWE-367
CVE-2023-20548Shared CWE-367
CVE-2024-53032Shared CWE-367
CVE-2026-20831Shared CWE-367

Affected Assets

akeo
rufus
≤ 4.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces access controls on the %TEMP% script file so that a standard user cannot replace it after Rufus (running as Administrator) has written it.

detect

Requires verification of the integrity of the Fido PowerShell script immediately before execution, detecting any TOCTOU replacement.

prevent

Protects against unintended information transfer or modification through the shared %TEMP% directory used for the elevated script.

References