{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30332", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-02T17:26:30.031Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-02T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T15:34:43.935Z"}, "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in Balena Etcher for Windows prior to v2.1.4 allows attackers to escalate privileges and execute arbitrary code via replacing a legitimate script with a crafted payload during the flashing process."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/balena-io/etcher/issues/4500"}, {"url": "https://www.balena.io/security"}, {"url": "https://github.com/B1tBreaker/CVE-2026-30332"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:H/AV:L/A:H/C:H/I:H/PR:L/S:C/UI:R", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-367", "lang": "en", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T17:26:27.141882Z", "id": "CVE-2026-30332", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:26:30.031Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30332", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T17:26:27.141882Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:26:03.174Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AC:H/AV:L/A:H/C:H/I:H/PR:L/S:C/UI:R", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/balena-io/etcher/issues/4500"}, {"url": "https://www.balena.io/security"}, {"url": "https://github.com/B1tBreaker/CVE-2026-30332"}], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in Balena Etcher for Windows prior to v2.1.4 allows attackers to escalate privileges and execute arbitrary code via replacing a legitimate script with a crafted payload during the flashing process."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T15:34:43.935Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30332", "state": "PUBLISHED", "dateUpdated": "2026-04-02T17:26:30.031Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-02T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in Balena Etcher for Windows prior to v2.1.4 allows attackers to escalate privileges and execute arbitrary code via replacing a legitimate script with a crafted payload during the flashing process."}], "id": "CVE-2026-30332", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 6.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-02T16:16:22.050", "references": [{"source": "cve@mitre.org", "url": "https://github.com/B1tBreaker/CVE-2026-30332"}, {"source": "cve@mitre.org", "url": "https://github.com/balena-io/etcher/issues/4500"}, {"source": "cve@mitre.org", "url": "https://www.balena.io/security"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.4)"}}], "enrichment": {"confidence": 85.0, "confidence_source": "inferred", "scores": [{"score": 85.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "etcher", "vendor": "balena-io"}], "analysis": {"en": {"generated_at": "2026-04-02T22:38:54.656109+00:00", "value": {"mitigation_remediation": ["Upgrade Balena Etcher to version 2.1.4 or newer, which removes the race condition.", "Use a protected environment when flashing devices, ensuring that no malicious scripts can be introduced.", "If an upgrade is not immediately possible, monitor Balena\u2019s security page and apply any newly released patches as soon as they are available."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation to Execute Arbitrary Code"}, "threat_synthesis": {"affected_systems": "Any installation of Balena Etcher on Windows with a version earlier than v2.1.4 is affected. The vulnerability is triggered during the flashing process when scripts are validated and subsequently executed; users who specify a script to be run during the flash are at risk.", "description_and_impact": "A Time\u2011of\u2011Check to Time\u2011of\u2011Use (TOCTOU) race condition exists in Balena Etcher for Windows that allows a malicious actor to replace a legitimate script with a crafted payload while the application is flashing a device. The flaw permits an attacker to execute arbitrary code with elevated privileges, constituting a severe security risk that can compromise the host operating system.", "risk_and_exploitability": "The CVSS score of 7.5 reflects a medium\u2011to\u2011high severity vulnerability. Exploit probability data (EPSS) is unavailable, and the flaw is not yet listed in the CISA KEV catalog. Based on the description, the likely attack requires local access to the target machine and the ability to run Balena Etcher with a crafted script file; no remote exploitation path is documented. The race condition between script validation and execution makes the vulnerability plausible under normal flashing scenarios."}}}}, "created": "2026-04-03T08:58:21.678644+00:00", "title": "Time\u2011of\u2011Check to Time\u2011of\u2011Use Race Condition in Balena Etcher Allows Privilege Escalation", "updated": "2026-04-03T09:19:01.527781+00:00", "vendors": ["balena-io", "balena-io$PRODUCT$etcher"]}