Skip to main content

SWUpdate CVE-2025-41259

| EUVDEUVD-2025-210052 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-03 sba-research GHSA-pmf3-4g49-qvxm
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 03, 2026 - 14:50 vuln.today
Analysis Generated
Jun 03, 2026 - 14:50 vuln.today
CVSS changed
Jun 03, 2026 - 13:22 NVD
7.3 (HIGH)
CVE Published
Jun 03, 2026 - 11:01 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

SWUpdate before 2026.05 is affected by a time-of-check time-of-use (TOCTOU) race condition that allows local unprivileged attackers to escalate privileges to root or install untrusted contents using a signed update.

AnalysisAI

Local privilege escalation in SWUpdate versions before 2026.05 allows unprivileged users to gain root or install attacker-controlled content by winning a TOCTOU race during processing of a signed update. The flaw, reported by SBA Research and tracked as EUVD-2025-210052, undermines SWUpdate's signed-update integrity model on embedded Linux devices. No public exploit identified at time of analysis, but an upstream patch is available via commit f4bd6426.

Technical ContextAI

SWUpdate (sbabic/swupdate) is a widely used update agent for embedded Linux devices, commonly invoked with elevated privileges to apply signed firmware/software bundles. CWE-367 (TOCTOU) describes a class of bugs where a security-relevant check on a filesystem object and the subsequent use of that object are non-atomic, letting a local attacker swap the object in between. The upstream fix in core/util.c hardens swupdate_remove_directory() by stat()-ing the path and explicitly verifying S_ISDIR(path_stat.st_mode) before traversal/removal, which blocks a racing attacker from substituting a symlink or non-directory entry under a path SWUpdate will operate on as root.

RemediationAI

Vendor-released patch: upgrade SWUpdate to 2026.05 or later, which incorporates the fix from upstream commit https://github.com/sbabic/swupdate/commit/f4bd64260e233e207354d68d572b1cbc3e63689d adding stat() and S_ISDIR() validation in swupdate_remove_directory(). Device vendors that cannot immediately rebase should cherry-pick that commit into their fork and rebuild affected firmware images. As compensating controls until the patched binary is deployed, restrict who can invoke SWUpdate or write into its working/staging directories to root-only (tight filesystem ACLs and removing any setuid/sudoers entries that let unprivileged users trigger updates), and where feasible run SWUpdate from a directory on a filesystem the unprivileged attacker cannot write to - recognizing the trade-off that this may break legitimate user-initiated update flows on multi-user devices.

Share

CVE-2025-41259 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy