CyberLeveling Logo
CVE-2026-23988 Rufus TOCTOU Vulnerability

CVE-2026-23988: How a TOCTOU Vulnerability in Rufus Enables Local Privilege Escalation

Overview

CVE-2026-23988 is a high-severity local privilege escalation vulnerability affecting Rufus versions 4.11 and below, a widely used utility for creating bootable USB drives. The issue stems from a classic Time-of-Check to Time-of-Use (TOCTOU) race condition that allows a local attacker to execute arbitrary code with Administrator privileges.

Rufus is often run by IT administrators and helpdesk staff in enterprise environments, which makes this vulnerability particularly dangerous when a workstation is already partially compromised or accessible to low-privileged users.

The vulnerability has been fixed in Rufus version 4.12_BETA.

Vulnerability Summary

  • Product: Rufus
  • Affected Versions: 4.11 and below
  • Fixed Version: 4.12_BETA
  • CVE: CVE-2026-23988
  • Severity: High (CVSS 3.1 Base Score: 7.3)
  • Attack Type: Local Privilege Escalation
  • Root Cause: TOCTOU race condition in temporary file handling

CVSS Vector (CNA GitHub)

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

This indicates:

  • Local access required
  • Low attack complexity
  • Low privileges needed
  • User interaction required
  • High impact on confidentiality, integrity, and availability

Technical Details

The vulnerability exists in src/net.c during the handling of a PowerShell script used for Fido, a Rufus feature that downloads official Windows ISO images.

What Goes Wrong

Rufus runs with Administrator privileges.

It downloads or generates a PowerShell script.

That script is written to the %TEMP% directory, which is:

  • Writable by standard (non-admin) users
  • Not protected with file locking

Rufus:

  1. Writes the script
  2. Performs validation
  3. Executes the script afterward

Between the write and execution steps, there is a race window. Because no file locking or secure file handling is used, a local attacker can replace the script before execution.

Why This Is Dangerous

TOCTOU vulnerabilities are particularly risky when:

  • A privileged process
  • Writes to a shared or user-writable location
  • And later executes the same file

In this case, Rufus unintentionally provides a privilege boundary crossing, allowing unprivileged users to inject arbitrary commands that will be executed as Administrator.

Example Attack Scenario (Conceptual)

This example is for educational and defensive understanding only.

Scenario: Shared Corporate Workstation

A company uses Rufus on IT workstations to prepare bootable Windows USB installers.

An attacker has:

  • A standard user account or malware running as a standard user
  • Access to the same machine

The IT technician launches Rufus as Administrator and starts using the Fido feature.

Attack Flow

The attacker monitors the %TEMP% directory for newly created PowerShell scripts associated with Rufus.

When Rufus writes the legitimate Fido script:

  • The attacker quickly replaces or modifies the file before execution.

Rufus then executes:

  • What it believes is its own script
  • But is actually attacker-controlled content

Result

The malicious script runs with Administrator privileges, allowing the attacker to:

  • Install persistent malware
  • Create new admin users
  • Disable endpoint security
  • Dump credentials
  • Move laterally within the network

This turns a local, low-privileged foothold into full system compromise.

Real-World Impact in Enterprises

This vulnerability is especially concerning because:

  • Rufus is trusted software
  • Often excluded from restrictive application controls
  • Frequently run by administrators
  • Commonly present on:
    • IT support machines
    • Imaging stations
    • Incident response kits

An attacker who compromises a single workstation via phishing, malicious USB devices, or browser exploitation could wait passively until Rufus is used and then escalate privileges silently.

Mitigation and Recommendations

Immediate Actions

  • Upgrade to Rufus 4.12_BETA or later
  • Remove older Rufus versions from managed systems
  • Restrict usage of Rufus to isolated or hardened machines

Defensive Controls

  • Monitor %TEMP% directory activity during elevated processes
  • Use EDR rules to detect:
    • Script replacement
    • Unexpected PowerShell execution by Rufus
  • Enforce least privilege:
    • Avoid running Rufus on shared-user systems

Secure Development Lesson

This vulnerability highlights why:

  • Temporary files must be securely created
  • File locking or atomic operations are essential
  • Privileged processes should never trust user-writable paths

Conclusion

CVE-2026-23988 is a textbook example of how a small implementation detail, writing an executable script to a world-writable directory, can lead to full administrative compromise.

While the attack requires local access, the low complexity and high impact make it a serious risk in enterprise and shared-system environments. Organizations using Rufus should treat this as a priority patching issue and review similar tooling for unsafe temporary file handling.