Approved changes feed: RSS · Atom

cpe:2.3:a:akeo:rufus:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorAkeo (0ad581b7-1242-5e58-b067-a3193460fc2d)
ProductRufus (40841bd8-3a57-5f52-978f-4036872b763c)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/pbatard/rufus purl2cpe 2026-06-01 10:12:23.039049
pkg:sourceforge/rufus.mirror purl2cpe 2026-06-01 10:12:23.039052

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-23988 vulnerable 2026-06-08 07:51:16.496536 Rufus has Local Privilege Escalation via TOCTOU Race Condition in Fido Script Handling
HIGH (7.3)
Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA.
Published: 2026-01-22T21:52:26.925Z
Updated: 2026-01-23T20:13:25.446Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2019-1010101 vulnerable 2026-06-08 05:12:21.604026 Details available
Akeo Consulting Rufus 3.0 and earlier is affected by: Insecure Permissions. The impact is: arbitrary code execution with escalation of privilege. The component is: Executable installer, portable executable (ALL executables available). The attack vector is: CWE-29, CWE-377, CWE-379.
Published: 2019-07-19T15:38:13.000Z
Updated: 2024-08-05T03:07:18.332Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2019-1010100 vulnerable 2026-06-08 05:12:21.603627 Details available
Akeo Consulting Rufus 3.0 and earlier is affected by: DLL search order hijacking. The impact is: Arbitrary code execution WITH escalation of privilege. The component is: Executable installers, portable executables (ALL executables on the web site). The attack vector is: CAPEC-471, CWE-426, CWE-427.
Published: 2019-07-19T15:37:12.000Z
Updated: 2024-08-05T03:07:18.327Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.