CVE-2026-3428
Received Received - Intake
TOC-TOU Code Download Flaw in ASUS Member Center Enables Privilege Escalation

Publication date: 2026-04-16

Last updated on: 2026-04-16

Assigner: ASUS

Description
A Download of Code Without Integrity Check vulnerability in the update modules in ASUS Member Center(华硕大厅) allows a local user to achieve privilege escalation to Administrator via exploitation of a Time-of-check Time-of-use (TOC-TOU) during the update process, where an unexpected payload is substituted for a legitimate one immediately after download, and subsequently executed with administrative privileges upon user consent. Refer to the 'Security Update for ASUS Member Center' section on the ASUS Security Advisory for more information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3428
EUVD
EUVD-2026-23158
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
asus member_center *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-494 The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Download of Code Without Integrity Check issue in the update modules of ASUS Member Center. It allows a local user to escalate their privileges to Administrator by exploiting a Time-of-check Time-of-use (TOC-TOU) race condition during the update process.

Specifically, after a legitimate payload is downloaded, an attacker can substitute it with an unexpected payload before execution. When the user consents, this malicious payload is executed with administrative privileges.

Impact Analysis

This vulnerability can allow a local attacker to gain administrative privileges on the affected system.

With elevated privileges, the attacker could execute arbitrary code with full control over the system, potentially leading to unauthorized access, data modification, or system compromise.

Mitigation Strategies

To mitigate this vulnerability, ensure that you apply the latest security updates provided by ASUS for the ASUS Member Center software.

Avoid running the update process with lower privileges that could be exploited, and be cautious when consenting to update prompts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3428. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart