Booting Up Malware: Critical Flaw in Rufus Grants Admin Access (CVE-2026-23988)

A high-severity security flaw has been discovered in Rufus, the ubiquitous utility used by millions of IT professionals to format and create bootable USB drives. The vulnerability, tracked as CVE-2026-23988, exploits a classic “Time-of-Check Time-of-Use” (TOCTOU) race condition, allowing a low-privileged local user to hijack the application and execute arbitrary code with Administrator rights.

The flaw specifically impacts how Rufus handles the download and execution of the Fido PowerShell script, a component used to help users download Windows ISOs.

The vulnerability stems from an unsafe file handling practice within Rufus’s network module (src/net.c). When a user attempts to download an ISO, Rufus downloads the necessary Fido script to the system’s %TEMP% directory.

Rufus runs with elevated Administrator privileges, but the %TEMP% directory is writeable by any standard user. “Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script,” the advisory explains.

The exploit relies on split-second timing. The vulnerability creates a brief window of opportunity—a “race window”—between three distinct actions:

• Creation: Rufus writes the PowerShell script to the disk and closes the file handle, unlocking it.
• Validation: Rufus checks the file’s signature.
• Execution: Rufus executes the script.

Attackers can monitor the %TEMP% directory for the creation of the script. “As soon as the file lock is released… immediately attempt to overwrite the file content with a malicious payload,” the security advisory notes.

If the attacker’s script overwrites the legitimate one after the handle is closed but before validation or execution completes, Rufus unwittingly runs the malware.

Because Rufus is a tool that requires administrative access to function (formatting drives requires raw disk access), any code it executes inherits those same high privileges.

“The malicious payload executes with the privileges of Rufus (Administrator/High Integrity), effectively bypassing UAC/permissions,” the report warns. This allows a standard user account to instantly escalate to full system control.

The vulnerability affects all versions of Rufus prior to the fix. The developers have addressed the race condition in the latest release.

Users are urged to upgrade to Rufus 4.12 immediately to close this security gap.

Related Posts:

• CISA Alert: Critical VMware vCenter RCE (CVSS 9.8) Now Exploited in the Wild
• CISA Adds 4 Critical Flaws to “Must-Patch” List as Exploits Surge