CVE-2026-30332 is a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability identified in Balena Etcher for Windows prior to version 2.1.4. The vulnerability arises during the disk flashing process, where the software checks a script's integrity or legitimacy before execution (time-of-check), but an attacker can replace the script with a malicious payload before the script is actually used (time-of-use). This race condition enables an attacker with limited privileges on the system to escalate their privileges and execute arbitrary code with higher privileges. The vulnerability requires local access and user interaction, as the attacker must initiate or influence the flashing process. The CVSS v3.1 base score is 7.5, reflecting high severity due to the potential for complete system compromise, affecting confidentiality, integrity, and availability. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component. Although no known exploits are currently reported in the wild, the nature of the vulnerability makes it a significant risk for environments where Balena Etcher is used for imaging tasks. The lack of patch links in the provided data suggests users must verify and apply the official update to version 2.1.4 or later to remediate the issue.

The vulnerability allows attackers with limited local privileges to escalate their privileges and execute arbitrary code, potentially leading to full system compromise. This can result in unauthorized access to sensitive data, modification or destruction of system files, and disruption of system availability. Organizations using Balena Etcher for imaging USB drives or SD cards, especially in environments where endpoint security is critical (e.g., development, IT operations, or secure boot processes), face increased risk. Attackers could leverage this vulnerability to implant persistent malware or bypass security controls by manipulating the flashing process. The requirement for local access and user interaction limits remote exploitation but does not eliminate risk in environments with multiple users or where endpoint devices are shared or less controlled. The vulnerability's scope change means that the impact can extend beyond the application itself, potentially affecting the entire host system.

1. Immediately update Balena Etcher to version 2.1.4 or later, where the vulnerability is patched. 2. Restrict local user permissions to prevent unauthorized users from initiating or manipulating the flashing process. 3. Implement application whitelisting and integrity verification mechanisms to detect unauthorized script modifications during the flashing process. 4. Use endpoint detection and response (EDR) solutions to monitor for suspicious activities related to disk imaging tools. 5. Educate users about the risks of running untrusted scripts or software during device imaging. 6. Where possible, perform flashing operations in controlled, isolated environments to reduce the risk of exploitation. 7. Regularly audit and monitor systems for signs of privilege escalation or unauthorized code execution related to imaging tools. 8. Employ multi-factor authentication and strong access controls on systems where Balena Etcher is used to limit the risk of local exploitation.