Description
A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in Balena Etcher for Windows prior to v2.1.4 allows attackers to escalate privileges and execute arbitrary code via replacing a legitimate script with a crafted payload during the flashing process.
Published: 2026-04-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Execute Arbitrary Code
Action: Immediate Patch
AI Analysis

Impact

A Time‑of‑Check to Time‑of‑Use (TOCTOU) race condition exists in Balena Etcher for Windows that allows a malicious actor to replace a legitimate script with a crafted payload while the application is flashing a device. The flaw permits an attacker to execute arbitrary code with elevated privileges, constituting a severe security risk that can compromise the host operating system.

Affected Systems

Any installation of Balena Etcher on Windows with a version earlier than v2.1.4 is affected. The vulnerability is triggered during the flashing process when scripts are validated and subsequently executed; users who specify a script to be run during the flash are at risk.

Risk and Exploitability

The CVSS score of 7.5 reflects a medium‑to‑high severity vulnerability. Exploit probability data (EPSS) is unavailable, and the flaw is not yet listed in the CISA KEV catalog. Based on the description, the likely attack requires local access to the target machine and the ability to run Balena Etcher with a crafted script file; no remote exploitation path is documented. The race condition between script validation and execution makes the vulnerability plausible under normal flashing scenarios.

Generated by OpenCVE AI on April 2, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Balena Etcher to version 2.1.4 or newer, which removes the race condition.
  • Use a protected environment when flashing devices, ensuring that no malicious scripts can be introduced.
  • If an upgrade is not immediately possible, monitor Balena’s security page and apply any newly released patches as soon as they are available.

Generated by OpenCVE AI on April 2, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Time‑of‑Check to Time‑of‑Use Race Condition in Balena Etcher Allows Privilege Escalation
First Time appeared Balena-io
Balena-io etcher
Vendors & Products Balena-io
Balena-io etcher

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in Balena Etcher for Windows prior to v2.1.4 allows attackers to escalate privileges and execute arbitrary code via replacing a legitimate script with a crafted payload during the flashing process.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AC:H/AV:L/A:H/C:H/I:H/PR:L/S:C/UI:R'}

Subscriptions

Balena-io Etcher
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T17:26:30.031Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30332

cve-icon Vulnrichment

Updated: 2026-04-02T17:26:03.174Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T16:16:22.050

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-30332

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:01Z

Weaknesses