{"id":"CVE-2025-41259","summary":"SWUpdate Untrusted Script Execution via Signed Update TOCTOU","details":"SWUpdate before 2026.05 is affected by a time-of-check time-of-use (TOCTOU) race condition that allows local unprivileged attackers to escalate privileges to root or install untrusted contents using a signed update.","modified":"2026-07-08T08:12:02.217265212Z","published":"2026-06-03T11:01:59.871Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/41xxx/CVE-2025-41259.json","cna_assigner":"sba-research","cwe_ids":["CWE-367"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/41xxx/CVE-2025-41259.json"},{"type":"ADVISORY","url":"https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251206-01_SWUpdate_Untrusted_Script_Execution_via_Signed_Update_TOCTOU"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-41259"},{"type":"FIX","url":"https://github.com/sbabic/swupdate/commit/f4bd64260e233e207354d68d572b1cbc3e63689d"},{"type":"PACKAGE","url":"https://github.com/sbabic/swupdate"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sbabic/swupdate","events":[{"introduced":"0"},{"fixed":"602edf8e57f940791034096c9e24206097b4b7a6"},{"fixed":"f4bd64260e233e207354d68d572b1cbc3e63689d"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"2026.05"}]}}],"versions":["2025.12","2025.05","2024.12","2024.05.2","2024.05","2023.12.1","2023.12","2023.05","2022.12","2022.05","2021.11","2021.04","2020.11","2020.04","2020.04-rc2","2020.04-rc1","2019.11","2019.11-rc1","2019.04","2019.04-rc1","2018.11","2018.11-rc1","2018.03","2018.03-rc1","2017.11","2017.07","2017.07-rc1","2017.04","2017.04-rc2","2017.04-rc1","2017.01","2017.01-rc1","2016.10","2016.10-rc1","2016.07","2016.07-rc3","2016.04","2016.04-rc1","2015.07","2014.07"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-41259.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}