CVE-2026-23988

Name of the Vulnerable Software and Affected Versions Rufus versions 4.11 and below

Description Rufus, a utility for formatting and creating bootable USB flash drives, contains a time-of-check to time-of-use (TOCTOU) race condition in the src/net.c file. This occurs during the creation, validation, and execution of the Fido PowerShell script. Because Rufus operates with elevated privileges (Administrator) but writes the script to the %TEMP% directory, which is accessible to standard users without file locking, a local attacker can replace the legitimate script with a malicious one. This allows for arbitrary code execution with Administrator privileges. The issue is exploitable when an administrator runs Rufus with elevation and a standard user has access to the same system, either locally or through Remote Desktop Protocol (RDP). This scenario allows the user to automate the file replacement in %TEMP% and gain administrator privileges.

Recommendations Rufus versions prior to 4.12 BETA should be updated. Do not run Rufus with Administrator privileges on shared systems.