CVE-2026-23988
Unknown Unknown - Not Provided
TOCTOU Race Condition in Rufus Allows Privilege Escalation

Publication date: 2026-01-22

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23988
EUVD
EUVD-2026-4202
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
akeo rufus to 4.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a race condition (TOCTOU) in Rufus versions 4.11 and below, occurring in the creation, validation, and execution of the Fido PowerShell script. Rufus runs with Administrator privileges but writes the script to the %TEMP% directory, which is writable by standard users, without locking the file. This allows a local attacker to replace the legitimate script with a malicious one between the write and execution steps, leading to arbitrary code execution with Administrator privileges.

Impact Analysis

This vulnerability can allow a local attacker to execute arbitrary code with Administrator privileges on the affected system. This means the attacker could potentially take full control of the system, install malware, steal data, or disrupt system operations.

Mitigation Strategies

To mitigate this vulnerability, update Rufus to version 4.12_BETA or later, where the race condition issue has been fixed. Avoid running Rufus with elevated privileges if possible, and ensure that the %TEMP% directory is secured to prevent unauthorized modification of scripts during execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23988. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart