{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/toctou/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":6.3,"id":"CVE-2025-68146"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["TOCTOU","symlink","filelock","CVE-2025-68146","race condition"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2025-68146 is a security vulnerability residing within the filelock library, a widely used Python library for file locking. The vulnerability stems from a Time-of-Check Time-of-Use (TOCTOU) race condition that occurs during the creation of lock files. This weakness can be exploited by a local attacker to perform symlink attacks. By carefully manipulating the file system, an attacker can potentially redirect the lock creation process to a file location they control. This is a locally exploitable vulnerability with potential for privilege escalation and unauthorized access, but requires local access to the vulnerable system. The advisory was published on April 29, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial local access to the system.\u003c/li\u003e\n\u003cli\u003eAttacker identifies an application utilizing the vulnerable filelock library for file locking operations.\u003c/li\u003e\n\u003cli\u003eAttacker creates a symbolic link (symlink) pointing the expected lock file path to a file location under their control.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application attempts to create a lock file at the expected location.\u003c/li\u003e\n\u003cli\u003eDue to the TOCTOU race condition, between the time the application checks for the existence of the lock file and the time it attempts to create it, the symlink is followed.\u003c/li\u003e\n\u003cli\u003eThe lock file is created in the attacker-controlled location instead of the intended secure location.\u003c/li\u003e\n\u003cli\u003eThe application continues execution, believing it has exclusive access, while the attacker can potentially modify or access the protected resource.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-68146 allows an attacker to manipulate file locking mechanisms, potentially leading to unauthorized modification or access to sensitive files. This can lead to data corruption, privilege escalation, or denial of service. The vulnerability requires local access, limiting the scope of potential attacks, but can be a critical issue in multi-user environments or systems with sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or updates provided by the vendor (Microsoft) to address CVE-2025-68146 when they become available.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized modifications to critical files and directories.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious symlink creation attempts that might indicate exploitation of this TOCTOU vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T07:50:36Z","date_published":"2026-04-29T07:50:36Z","id":"/briefs/2024-05-filelock-symlink/","summary":"CVE-2025-68146 describes a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in the filelock library that could allow for symlink attacks during lock file creation, potentially leading to unauthorized file access or modification.","title":"CVE-2025-68146 filelock TOCTOU Race Condition Enables Symlink Attacks","url":"https://feed.craftedsignal.io/briefs/2024-05-filelock-symlink/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-27929"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","toctou","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA time-of-check time-of-use (TOCTOU) race condition vulnerability, identified as CVE-2026-27929, exists within the Windows LUAFV (likely referring to a component related to Least-Privilege User Account Filtering). This vulnerability enables a locally authenticated attacker to elevate their privileges on the system. The vulnerability stems from the way LUAFV handles file operations, creating a window where an attacker can manipulate a file between the time it is checked for permissions and the time it is actually used. Microsoft has assigned this vulnerability a CVSS v3.1 score of 7.0, indicating a high severity. Successful exploitation leads to unauthorized privilege escalation, potentially granting the attacker administrative control over the compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker, with limited privileges, identifies a file or resource protected by LUAFV.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious program designed to exploit the TOCTOU vulnerability.\u003c/li\u003e\n\u003cli\u003eThe malicious program initiates a file operation (e.g., accessing, modifying, or executing) on the target resource.\u003c/li\u003e\n\u003cli\u003eLUAFV performs a security check to determine if the attacker has the necessary permissions for the requested file operation.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a race condition to modify the target resource between the security check and the actual file operation, potentially bypassing the intended access controls. This might involve rapidly replacing a legitimate file with a symbolic link pointing to a sensitive system file.\u003c/li\u003e\n\u003cli\u003eLUAFV, acting on the outdated or manipulated state of the resource, grants the attacker elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to execute arbitrary code, install malicious software, or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistent access to the system with escalated privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-27929 allows a local attacker with limited privileges to escalate their privileges to SYSTEM level. This would allow the attacker to perform actions such as installing programs, viewing, changing, or deleting data, or creating new accounts with full user rights. Given the local nature of the attack, its impact is primarily confined to individual systems; however, in environments where users share systems or rely on specific permission models, this vulnerability poses a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to address CVE-2026-27929 as soon as possible. Refer to the Microsoft Security Response Center advisory linked in the references.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to monitor for suspicious processes launched by low-privileged users that might indicate exploitation attempts (e.g., running \u003ccode\u003ewhoami /priv\u003c/code\u003e from different contexts).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect potential exploitation attempts by monitoring for unexpected modifications within protected LUAFV areas.\u003c/li\u003e\n\u003cli\u003eMonitor for registry modifications related to LUAFV configurations, as attackers may attempt to weaken or disable security measures after privilege escalation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-luafv-privesc/","summary":"CVE-2026-27929 is a time-of-check time-of-use (TOCTOU) race condition in Windows LUAFV that allows an authorized local attacker to elevate privileges.","title":"Windows LUAFV TOCTOU Vulnerability Allows Local Privilege Escalation (CVE-2026-27929)","url":"https://feed.craftedsignal.io/briefs/2026-04-luafv-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["openclaw","sandbox-escape","toctou"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions up to and including 2026.3.28 contain a critical vulnerability related to how they handle remote file system operations within a sandboxed environment. Specifically, the \u003ccode\u003ereadFile\u003c/code\u003e function in the remote file system bridge is susceptible to a Time-of-Check Time-of-Use (TOCTOU) race condition. This means that the application verifies the path of a file before reading it, but an attacker can potentially modify the file path in between the check and the read operation. The vulnerability was reported by AntAISecurityLab and patched in version 2026.3.31. Successful exploitation allows attackers to escape the sandbox, potentially leading to arbitrary code execution on the host system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a request to the OpenClaw application, specifying a file path within the allowed sandbox.\u003c/li\u003e\n\u003cli\u003eOpenClaw\u0026rsquo;s \u003ccode\u003ereadFile\u003c/code\u003e function receives the request and validates that the requested path is within the allowed sandbox.\u003c/li\u003e\n\u003cli\u003eAfter the path is validated, but before the file is read, the attacker leverages a race condition to modify the file path. This could be achieved by symlink replacement or other file system manipulation techniques.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereadFile\u003c/code\u003e function now attempts to read the file from the modified path, which could point to a location outside the intended sandbox.\u003c/li\u003e\n\u003cli\u003eThe file from the attacker-controlled path is read, bypassing the initial security check.\u003c/li\u003e\n\u003cli\u003eOpenClaw processes the content of the file, potentially executing malicious code or leaking sensitive information, depending on the file\u0026rsquo;s contents and the application\u0026rsquo;s handling of it.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully escapes the sandbox, gaining unauthorized access to the host system\u0026rsquo;s resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this TOCTOU vulnerability allows an attacker to bypass the intended security restrictions of the OpenClaw sandbox. This can lead to arbitrary code execution on the host system, potentially allowing the attacker to install malware, steal sensitive data, or pivot to other systems on the network. While the specific number of affected installations is unknown, all deployments of OpenClaw versions 2026.3.28 or earlier are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch the vulnerability as indicated in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect attempts to exploit this TOCTOU vulnerability by monitoring file access patterns.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on critical system files to detect unauthorized modifications that could indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T03:15:00Z","date_published":"2026-04-03T03:15:00Z","id":"/briefs/2026-04-openclaw-sandbox-escape/","summary":"A critical time-of-check time-of-use (TOCTOU) vulnerability in OpenClaw's remote file system bridge allows a sandbox escape by exploiting the delay between path validation and file reading, affecting versions up to 2026.3.28.","title":"OpenClaw TOCTOU Race Condition Leads to Sandbox Escape","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-30332"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","toctou","balena-etcher"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBalena Etcher for Windows versions prior to 2.1.4 are susceptible to a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability (CVE-2026-30332). This flaw arises during the flashing process where a legitimate script can be replaced with a malicious payload. An attacker with local access and the ability to influence the file system can exploit this vulnerability to escalate privileges and execute arbitrary code. The successful exploitation of this issue can lead to a complete compromise of the affected system, granting the attacker full control. This is particularly concerning for environments where users with limited privileges routinely use Balena Etcher.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial local access to a Windows system where Balena Etcher is installed (versions prior to 2.1.4).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a legitimate script used by Balena Etcher during the flashing process.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the file system for Balena Etcher to access the targeted legitimate script.\u003c/li\u003e\n\u003cli\u003eBefore Etcher uses the legitimate script, the attacker leverages the TOCTOU vulnerability by rapidly replacing the legitimate script with a malicious script of the same name.\u003c/li\u003e\n\u003cli\u003eBalena Etcher, still operating under elevated privileges due to its intended function, executes the attacker-controlled script.\u003c/li\u003e\n\u003cli\u003eThe malicious script performs actions to escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code within the context of the elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence and control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-30332 allows an attacker to escalate privileges on a Windows system running a vulnerable version of Balena Etcher. This can lead to the execution of arbitrary code, potentially resulting in data theft, system compromise, or denial of service. The vulnerability affects versions prior to 2.1.4, and if left unpatched, could lead to widespread exploitation in environments where Balena Etcher is commonly used.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Balena Etcher to version 2.1.4 or later to patch the vulnerability (CVE-2026-30332).\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on the Balena Etcher installation directory to detect unauthorized modifications to script files.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected processes spawned by Balena Etcher to identify potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect Suspicious Balena Etcher Child Processes\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T16:16:22Z","date_published":"2026-04-02T16:16:22Z","id":"/briefs/2026-04-balena-etcher-toctou/","summary":"A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in Balena Etcher for Windows prior to v2.1.4 allows attackers to escalate privileges and execute arbitrary code by replacing a legitimate script with a crafted payload during the flashing process.","title":"Balena Etcher for Windows TOCTOU Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-balena-etcher-toctou/"}],"language":"en","title":"CraftedSignal Threat Feed — Toctou","version":"https://jsonfeed.org/version/1.1"}