Description

Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA.

INFO

Published Date :

2026-01-22T21:52:26.925Z

Last Modified :

2026-01-23T20:13:25.446Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-23988 vulnerability.

Vendors Products
Akeo
  • Rufus
Pbatard
  • Rufus
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23988.

URL Resource
https://github.com/pbatard/rufus/commit/460cc5768aa45be07941b9e4ebc9bee02d282873 cve-icon cve-icon
https://github.com/pbatard/rufus/releases/tag/v4.12_BETA cve-icon cve-icon
https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact