CVE-2026-23988
TOCTOU Race Condition in Rufus Allows Privilege Escalation
Publication date: 2026-01-22
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| akeo | rufus | to 4.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a race condition (TOCTOU) in Rufus versions 4.11 and below, occurring in the creation, validation, and execution of the Fido PowerShell script. Rufus runs with Administrator privileges but writes the script to the %TEMP% directory, which is writable by standard users, without locking the file. This allows a local attacker to replace the legitimate script with a malicious one between the write and execution steps, leading to arbitrary code execution with Administrator privileges.
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to execute arbitrary code with Administrator privileges on the affected system. This means the attacker could potentially take full control of the system, install malware, steal data, or disrupt system operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Rufus to version 4.12_BETA or later, where the race condition issue has been fixed. Avoid running Rufus with elevated privileges if possible, and ensure that the %TEMP% directory is secured to prevent unauthorized modification of scripts during execution.