CVE-2026-23988 is a Time-of-check Time-of-use (TOCTOU) race condition vulnerability classified under CWE-367, affecting Rufus, a widely used Windows utility for formatting and creating bootable USB flash drives. The flaw exists in versions 4.11 and earlier in the src/net.c component during the handling of a Fido PowerShell script. Rufus operates with Administrator privileges but writes this script to the %TEMP% directory, which is writable by standard users. Because the file is not locked during the interval between creation and execution, a local attacker with standard user privileges can replace the legitimate script with a malicious one. When Rufus subsequently executes the script, the attacker’s code runs with Administrator privileges, enabling arbitrary code execution and potentially full system compromise. Exploitation requires local access and some user interaction, such as running Rufus or triggering the script execution. The vulnerability has a CVSS 3.1 base score of 7.3, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity but requiring privileges and user interaction. The issue was publicly disclosed on January 22, 2026, and fixed in Rufus version 4.12_BETA. No known exploits have been reported in the wild to date. This vulnerability is particularly concerning in environments where multiple users share systems or where local user accounts have limited privileges but can run Rufus. Attackers could leverage this flaw to escalate privileges and gain full control over affected Windows machines.

For European organizations, the impact of CVE-2026-23988 can be significant, especially in sectors relying heavily on Windows-based systems and USB boot media creation, such as IT service providers, government agencies, and enterprises with complex endpoint management. Successful exploitation allows local attackers to escalate privileges to Administrator level, potentially leading to full system compromise, data theft, unauthorized changes, or deployment of persistent malware. This risk is heightened in shared workstation environments, development labs, or organizations with less stringent endpoint controls. The vulnerability could facilitate lateral movement within networks if attackers gain initial footholds on lower-privileged accounts. Additionally, organizations relying on Rufus for secure USB media creation might face risks of supply chain compromise or tampering with bootable media. Although no exploits are currently known in the wild, the ease of exploitation and high impact warrant proactive mitigation to prevent potential attacks.

To mitigate CVE-2026-23988, European organizations should immediately upgrade Rufus to version 4.12_BETA or later, where the vulnerability is fixed. Until upgrades are deployed, restrict write permissions to the %TEMP% directory during Rufus execution to prevent unauthorized script replacement. Implement application whitelisting and endpoint protection to monitor and block unauthorized script executions. Enforce the principle of least privilege by limiting local user permissions and restricting the ability to run Rufus or similar utilities to trusted administrators only. Employ monitoring and alerting for suspicious file modifications in temporary directories. Educate users about the risks of running outdated Rufus versions and the importance of applying updates promptly. In environments with shared workstations, consider isolating user sessions or using virtualization to reduce the risk of local privilege escalation. Regularly audit installed software versions and patch management processes to ensure timely vulnerability remediation.