Description
SWUpdate before 2026.05 is affected by a time-of-check time-of-use (TOCTOU) race condition that allows local unprivileged attackers to escalate privileges to root or install untrusted contents using a signed update.
Published: 2026-06-03
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SWUpdate prior to the 2026.05 release contains a TOCTOU race condition that allows a local, unprivileged user to trigger the installation of a signed update. By exploiting this race, the attacker can have arbitrary scripts executed during the update process or even gain root privileges. The flaw is documented as CWE‑367, a classic race condition that manipulates timing between checking a condition and using its result.

Affected Systems

The vulnerability affects all installations of SWUpdate from its earliest releases up to, but not including, version 2026.05. This includes any vendor that relies on the open‑source SWUpdate package, as the flaw resides in the core update logic rather than in a single product variant.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity, while the EPSS score is not available, suggesting limited data on exploitation likelihood. The vulnerability is not yet listed in the CISA KEV catalog. Attackers must have local, unprivileged access to the host, but the race condition permits escalation to root once the attacker manipulates the signed update sequence. Because the exploit targets signed updates, an attacker can also introduce untrusted content that the system believes originates from a trusted source.

Generated by OpenCVE AI on June 3, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to SWUpdate version 2026.05 or later to eliminate the race condition.
  • If an upgrade cannot be performed immediately, restrict write and execution permissions on the update directory to root users only and prevent unprivileged accounts from triggering the update process.
  • Configure the update mechanism to perform a strict integrity check on each update package, rejecting any that modify executable scripts or contain unexpected content, thereby preventing untrusted code from being executed.

Generated by OpenCVE AI on June 3, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Sbabic
Sbabic swupdate
Vendors & Products Sbabic
Sbabic swupdate

Wed, 03 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description SWUpdate before 2026.05 is affected by a time-of-check time-of-use (TOCTOU) race condition that allows local unprivileged attackers to escalate privileges to root or install untrusted contents using a signed update.
Title SWUpdate Untrusted Script Execution via Signed Update TOCTOU
Weaknesses CWE-367
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Sbabic Swupdate
cve-icon MITRE

Status: PUBLISHED

Assigner: sba-research

Published:

Updated: 2026-06-03T12:37:01.661Z

Reserved: 2025-04-16T09:37:50.631Z

Link: CVE-2025-41259

cve-icon Vulnrichment

Updated: 2026-06-03T12:36:58.420Z

cve-icon NVD

Status : Received

Published: 2026-06-03T13:16:18.967

Modified: 2026-06-03T14:16:30.973

Link: CVE-2025-41259

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T14:00:21Z

Weaknesses