A high-severity flaw has been discovered in Rufus, the tool used to format and create bootable USB drives, tracked as CVE-2026-23988. The vulnerability arises from an unsafe file handling practice in Rufus’s network module, where the Fido PowerShell script is downloaded to the system’s %TEMP% directory and can be overwritten during a brief race window.
Rufus runs with Administrator privileges, but the %TEMP% directory is writeable by standard users, allowing a local attacker to replace the legitimate script as soon as the file lock is released. The exploit hinges on a race between creation, validation, and execution of the script, enabling a malicious payload to be executed with Administrator rights if overwritten before validation or execution completes.
The advisory notes that the malicious payload would run with the privileges of Rufus, effectively bypassing UAC and escalating to full system control; the issue affects all versions prior to the fix, with developers directing users to upgrade to Rufus 4.12.