CVE-2026-23988

EUVD-2026-4202

22.01.2026, 22:16

Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA.

TOCTOU

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.3 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
akeo	rufus	𝑥 < 4.12

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9

Common Weakness Enumeration

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.

References

https://github.com/pbatard/rufus/commit/460cc5768aa45be07941b9e4ebc9bee02d282873

https://github.com/pbatard/rufus/releases/tag/v4.12_BETA

https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9