cvedb.io
CVE-2026-23988
HIGH · CVSS 7.3
EPSS exploitation probability: 0%
Published 2026-01-22T22:16:21.193 · Last modified 2026-06-17T10:22:24.153

Summary

Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA.

Affected products

akeo — rufus

Does this affect you?

Add your gear to cvedb and we'll alert you only when akeo ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.