{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23988","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-01-19T18:49:20.657Z","datePublished":"2026-01-22T21:52:26.925Z","dateUpdated":"2026-01-23T20:13:25.446Z"},"containers":{"cna":{"title":"Rufus has Local Privilege Escalation via TOCTOU Race Condition in Fido Script Handling","problemTypes":[{"descriptions":[{"cweId":"CWE-367","lang":"en","description":"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.3,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9","tags":["x_refsource_CONFIRM"],"url":"https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9"},{"name":"https://github.com/pbatard/rufus/commit/460cc5768aa45be07941b9e4ebc9bee02d282873","tags":["x_refsource_MISC"],"url":"https://github.com/pbatard/rufus/commit/460cc5768aa45be07941b9e4ebc9bee02d282873"},{"name":"https://github.com/pbatard/rufus/releases/tag/v4.12_BETA","tags":["x_refsource_MISC"],"url":"https://github.com/pbatard/rufus/releases/tag/v4.12_BETA"}],"affected":[{"vendor":"pbatard","product":"rufus","versions":[{"version":"< 4.12_BETA","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-01-22T21:52:26.925Z"},"descriptions":[{"lang":"en","value":"Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA."}],"source":{"advisory":"GHSA-hcx5-hrhj-xhq9","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-01-23T20:13:16.085068Z","id":"CVE-2026-23988","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-23T20:13:25.446Z"}}]}}