Description
Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA.
Published: 2026-01-22
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A time‑of‑check to time‑of‑use (TOCTOU) race condition exists in the Fido PowerShell script handling routine within Rufus. The program writes the script to the user’s %TEMP% directory while running with elevated Administrator privileges, but does not lock the file. A local user with write access to that directory can replace the script before Rufus executes it, allowing the attacker to run arbitrary code as Administrator. This flaw permits privilege escalation and code execution without any network involvement.

Affected Systems

The vulnerability affects the Rufus utility developed by pbatard. Versions 4.11 and earlier are impacted. A patch is available in Rufus version 4.12_BETA and later.

Risk and Exploitability

The CVSS score of 7.3 signifies a high severity rating. The EPSS score of less than 1% indicates a very low probability of exploitation under current public data, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires a local attacker who can run Rufus with administrator privileges on the target machine. Because the flaw occurs during script creation and execution on the local filesystem, it is not remotely exploitable but can be triggered by anyone with physical access or terminal access to the device.

Generated by OpenCVE AI on April 18, 2026 at 03:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Rufus version 4.12_BETA or later to address the race condition.
  • If an upgrade is not immediately possible, modify the permissions on the %TEMP% directory so that standard users cannot write to it while Rufus is running, thereby preventing script replacement.
  • Consider disabling the automatic execution of Fido PowerShell scripts or running Rufus with the least privilege required for your environment to reduce the risk of inadvertent code execution.

Generated by OpenCVE AI on April 18, 2026 at 03:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Akeo
Akeo rufus
CPEs cpe:2.3:a:akeo:rufus:*:*:*:*:*:*:*:*
Vendors & Products Akeo
Akeo rufus

Fri, 23 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Pbatard
Pbatard rufus
Vendors & Products Pbatard
Pbatard rufus

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA.
Title Rufus has Local Privilege Escalation via TOCTOU Race Condition in Fido Script Handling
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Akeo Rufus
Pbatard Rufus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-23T20:13:25.446Z

Reserved: 2026-01-19T18:49:20.657Z

Link: CVE-2026-23988

cve-icon Vulnrichment

Updated: 2026-01-23T20:13:21.818Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T22:16:21.193

Modified: 2026-02-27T14:36:16.870

Link: CVE-2026-23988

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:45:21Z

Weaknesses