Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
SWUpdate before 2026.05 is affected by a time-of-check time-of-use (TOCTOU) race condition that allows local unprivileged attackers to escalate privileges to root or install untrusted contents using a signed update.
AnalysisAI
Local privilege escalation in SWUpdate versions before 2026.05 allows unprivileged users to gain root or install attacker-controlled content by winning a TOCTOU race during processing of a signed update. The flaw, reported by SBA Research and tracked as EUVD-2025-210052, undermines SWUpdate's signed-update integrity model on embedded Linux devices. No public exploit identified at time of analysis, but an upstream patch is available via commit f4bd6426.
Technical ContextAI
SWUpdate (sbabic/swupdate) is a widely used update agent for embedded Linux devices, commonly invoked with elevated privileges to apply signed firmware/software bundles. CWE-367 (TOCTOU) describes a class of bugs where a security-relevant check on a filesystem object and the subsequent use of that object are non-atomic, letting a local attacker swap the object in between. The upstream fix in core/util.c hardens swupdate_remove_directory() by stat()-ing the path and explicitly verifying S_ISDIR(path_stat.st_mode) before traversal/removal, which blocks a racing attacker from substituting a symlink or non-directory entry under a path SWUpdate will operate on as root.
RemediationAI
Vendor-released patch: upgrade SWUpdate to 2026.05 or later, which incorporates the fix from upstream commit https://github.com/sbabic/swupdate/commit/f4bd64260e233e207354d68d572b1cbc3e63689d adding stat() and S_ISDIR() validation in swupdate_remove_directory(). Device vendors that cannot immediately rebase should cherry-pick that commit into their fork and rebuild affected firmware images. As compensating controls until the patched binary is deployed, restrict who can invoke SWUpdate or write into its working/staging directories to root-only (tight filesystem ACLs and removing any setuid/sudoers entries that let unprivileged users trigger updates), and where feasible run SWUpdate from a directory on a filesystem the unprivileged attacker cannot write to - recognizing the trade-off that this may break legitimate user-initiated update flows on multi-user devices.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210052
GHSA-pmf3-4g49-qvxm