CVE-2026-23988
Published: 22 January 2026
Summary
CVE-2026-23988 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Akeo Rufus. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
CVE-2026-23988 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability, classified under CWE-367, affecting Rufus versions 4.11 and earlier. Rufus is a utility for formatting and creating bootable USB flash drives. The issue resides in the src/net.c component during the creation, validation, and execution of the Fido PowerShell script. With a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), the vulnerability arises because Rufus runs with elevated Administrator privileges but writes the script to the %TEMP% directory, which is writable by standard users, without properly locking the file.
A local attacker with low privileges can exploit this by replacing the legitimate PowerShell script with a malicious one in the %TEMP% directory between the write and execution steps, as Rufus does not prevent concurrent access. This requires the victim to run Rufus as Administrator, introducing a user interaction element. Successful exploitation enables arbitrary code execution with Administrator privileges, potentially leading to full system compromise.
The vulnerability has been addressed in Rufus version 4.12_BETA, as detailed in the project's GitHub security advisory (GHSA-hcx5-hrhj-xhq9), release notes, and the fixing commit (460cc5768aa45be07941b9e4ebc9bee02d282873). Security practitioners should advise users to update to 4.12_BETA or later and avoid running Rufus from untrusted environments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4202
Vulnerability details
Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated…
more
privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
TOCTOU race condition in elevated Rufus process allows local low-priv replacement of Fido PowerShell script in %TEMP%, directly enabling privilege escalation via malicious script execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access controls on the %TEMP% script file so that a standard user cannot replace it after Rufus (running as Administrator) has written it.
Requires verification of the integrity of the Fido PowerShell script immediately before execution, detecting any TOCTOU replacement.
Protects against unintended information transfer or modification through the shared %TEMP% directory used for the elevated script.