216.73.217.139

CVE-2026-23988

· Published 22/01/2026 22:16 · Modified 22/01/2026 22:16

Labels: CVE-2026-23988 2026-01-22CVE-2026-23988CWE-367[email protected]

Essential information

Published
22/01/2026 22:16
Modified
22/01/2026 22:16
Author
Creator
CVSS
7.3 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS metrics

Description

Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
rufus / rufus cpe:2.3:a:rufus:rufus:<4.12:*:*:*:*:*:*:*

References