https://feed.craftedsignal.io/tags/toctou/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 29 Apr 2026 07:50:36 +0000https://feed.craftedsignal.io/briefs/2024-05-filelock-symlink/Wed, 29 Apr 2026 07:50:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-05-filelock-symlink/CVE-2025-68146 describes a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in the filelock library that could allow for symlink attacks during lock file creation, potentially leading to unauthorized file access or modification.CVE-2025-68146 is a security vulnerability residing within the filelock library, a widely used Python library for file locking. The vulnerability stems from a Time-of-Check Time-of-Use (TOCTOU) race condition that occurs during the creation of lock files. This weakness can be exploited by a local attacker to perform symlink attacks. By carefully manipulating the file system, an attacker can potentially redirect the lock creation process to a file location they control. This is a locally exploitable vulnerability with potential for privilege escalation and unauthorized access, but requires local access to the vulnerable system. The advisory was published on April 29, 2026.

Attack Chain

1. Attacker gains initial local access to the system.
2. Attacker identifies an application utilizing the vulnerable filelock library for file locking operations.
3. Attacker creates a symbolic link (symlink) pointing the expected lock file path to a file location under their control.
4. The vulnerable application attempts to create a lock file at the expected location.
5. Due to the TOCTOU race condition, between the time the application checks for the existence of the lock file and the time it attempts to create it, the symlink is followed.
6. The lock file is created in the attacker-controlled location instead of the intended secure location.
7. The application continues execution, believing it has exclusive access, while the attacker can potentially modify or access the protected resource.

Impact

Successful exploitation of CVE-2025-68146 allows an attacker to manipulate file locking mechanisms, potentially leading to unauthorized modification or access to sensitive files. This can lead to data corruption, privilege escalation, or denial of service. The vulnerability requires local access, limiting the scope of potential attacks, but can be a critical issue in multi-user environments or systems with sensitive data.

Recommendation

• Apply patches or updates provided by the vendor (Microsoft) to address CVE-2025-68146 when they become available.
• Implement file integrity monitoring to detect unauthorized modifications to critical files and directories.
• Deploy the Sigma rule provided below to detect suspicious symlink creation attempts that might indicate exploitation of this TOCTOU vulnerability.

]]>mediumadvisoryTOCTOUsymlinkfilelockCVE-2025-68146race conditionhttps://feed.craftedsignal.io/briefs/2026-04-luafv-privesc/Wed, 15 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-luafv-privesc/CVE-2026-27929 is a time-of-check time-of-use (TOCTOU) race condition in Windows LUAFV that allows an authorized local attacker to elevate privileges.A time-of-check time-of-use (TOCTOU) race condition vulnerability, identified as CVE-2026-27929, exists within the Windows LUAFV (likely referring to a component related to Least-Privilege User Account Filtering). This vulnerability enables a locally authenticated attacker to elevate their privileges on the system. The vulnerability stems from the way LUAFV handles file operations, creating a window where an attacker can manipulate a file between the time it is checked for permissions and the time it is actually used. Microsoft has assigned this vulnerability a CVSS v3.1 score of 7.0, indicating a high severity. Successful exploitation leads to unauthorized privilege escalation, potentially granting the attacker administrative control over the compromised system.

Attack Chain

1. The attacker, with limited privileges, identifies a file or resource protected by LUAFV.
2. The attacker crafts a malicious program designed to exploit the TOCTOU vulnerability.
3. The malicious program initiates a file operation (e.g., accessing, modifying, or executing) on the target resource.
4. LUAFV performs a security check to determine if the attacker has the necessary permissions for the requested file operation.
5. The attacker leverages a race condition to modify the target resource between the security check and the actual file operation, potentially bypassing the intended access controls. This might involve rapidly replacing a legitimate file with a symbolic link pointing to a sensitive system file.
6. LUAFV, acting on the outdated or manipulated state of the resource, grants the attacker elevated privileges.
7. The attacker leverages the elevated privileges to execute arbitrary code, install malicious software, or access sensitive data.
8. The attacker achieves persistent access to the system with escalated privileges.

Impact

Successful exploitation of CVE-2026-27929 allows a local attacker with limited privileges to escalate their privileges to SYSTEM level. This would allow the attacker to perform actions such as installing programs, viewing, changing, or deleting data, or creating new accounts with full user rights. Given the local nature of the attack, its impact is primarily confined to individual systems; however, in environments where users share systems or rely on specific permission models, this vulnerability poses a significant threat.

Recommendation

• Apply the security update released by Microsoft to address CVE-2026-27929 as soon as possible. Refer to the Microsoft Security Response Center advisory linked in the references.
• Enable process creation logging to monitor for suspicious processes launched by low-privileged users that might indicate exploitation attempts (e.g., running whoami /priv from different contexts).
• Implement the provided Sigma rule to detect potential exploitation attempts by monitoring for unexpected modifications within protected LUAFV areas.
• Monitor for registry modifications related to LUAFV configurations, as attackers may attempt to weaken or disable security measures after privilege escalation.

]]>highadvisoryprivilege-escalationtoctouwindowshttps://feed.craftedsignal.io/briefs/2026-04-openclaw-sandbox-escape/Fri, 03 Apr 2026 03:15:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-sandbox-escape/A critical time-of-check time-of-use (TOCTOU) vulnerability in OpenClaw's remote file system bridge allows a sandbox escape by exploiting the delay between path validation and file reading, affecting versions up to 2026.3.28.OpenClaw versions up to and including 2026.3.28 contain a critical vulnerability related to how they handle remote file system operations within a sandboxed environment. Specifically, the readFile function in the remote file system bridge is susceptible to a Time-of-Check Time-of-Use (TOCTOU) race condition. This means that the application verifies the path of a file before reading it, but an attacker can potentially modify the file path in between the check and the read operation. The vulnerability was reported by AntAISecurityLab and patched in version 2026.3.31. Successful exploitation allows attackers to escape the sandbox, potentially leading to arbitrary code execution on the host system.

Attack Chain

1. The attacker crafts a request to the OpenClaw application, specifying a file path within the allowed sandbox.
2. OpenClaw’s readFile function receives the request and validates that the requested path is within the allowed sandbox.
3. After the path is validated, but before the file is read, the attacker leverages a race condition to modify the file path. This could be achieved by symlink replacement or other file system manipulation techniques.
4. The readFile function now attempts to read the file from the modified path, which could point to a location outside the intended sandbox.
5. The file from the attacker-controlled path is read, bypassing the initial security check.
6. OpenClaw processes the content of the file, potentially executing malicious code or leaking sensitive information, depending on the file’s contents and the application’s handling of it.
7. The attacker successfully escapes the sandbox, gaining unauthorized access to the host system’s resources.

Impact

Successful exploitation of this TOCTOU vulnerability allows an attacker to bypass the intended security restrictions of the OpenClaw sandbox. This can lead to arbitrary code execution on the host system, potentially allowing the attacker to install malware, steal sensitive data, or pivot to other systems on the network. While the specific number of affected installations is unknown, all deployments of OpenClaw versions 2026.3.28 or earlier are vulnerable.

Recommendation

• Upgrade OpenClaw to version 2026.3.31 or later to patch the vulnerability as indicated in the advisory.
• Deploy the provided Sigma rule to detect attempts to exploit this TOCTOU vulnerability by monitoring file access patterns.
• Enable file integrity monitoring (FIM) on critical system files to detect unauthorized modifications that could indicate exploitation attempts.

]]>criticaladvisoryopenclawsandbox-escapetoctouhttps://feed.craftedsignal.io/briefs/2026-04-balena-etcher-toctou/Thu, 02 Apr 2026 16:16:22 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-balena-etcher-toctou/A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in Balena Etcher for Windows prior to v2.1.4 allows attackers to escalate privileges and execute arbitrary code by replacing a legitimate script with a crafted payload during the flashing process.Balena Etcher for Windows versions prior to 2.1.4 are susceptible to a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability (CVE-2026-30332). This flaw arises during the flashing process where a legitimate script can be replaced with a malicious payload. An attacker with local access and the ability to influence the file system can exploit this vulnerability to escalate privileges and execute arbitrary code. The successful exploitation of this issue can lead to a complete compromise of the affected system, granting the attacker full control. This is particularly concerning for environments where users with limited privileges routinely use Balena Etcher.

Attack Chain

1. Attacker gains initial local access to a Windows system where Balena Etcher is installed (versions prior to 2.1.4).
2. The attacker identifies a legitimate script used by Balena Etcher during the flashing process.
3. The attacker monitors the file system for Balena Etcher to access the targeted legitimate script.
4. Before Etcher uses the legitimate script, the attacker leverages the TOCTOU vulnerability by rapidly replacing the legitimate script with a malicious script of the same name.
5. Balena Etcher, still operating under elevated privileges due to its intended function, executes the attacker-controlled script.
6. The malicious script performs actions to escalate privileges.
7. The attacker executes arbitrary code within the context of the elevated privileges.
8. The attacker achieves persistence and control over the compromised system.

Impact

Successful exploitation of CVE-2026-30332 allows an attacker to escalate privileges on a Windows system running a vulnerable version of Balena Etcher. This can lead to the execution of arbitrary code, potentially resulting in data theft, system compromise, or denial of service. The vulnerability affects versions prior to 2.1.4, and if left unpatched, could lead to widespread exploitation in environments where Balena Etcher is commonly used.

Recommendation

• Upgrade Balena Etcher to version 2.1.4 or later to patch the vulnerability (CVE-2026-30332).
• Implement file integrity monitoring on the Balena Etcher installation directory to detect unauthorized modifications to script files.
• Monitor process creation events for unexpected processes spawned by Balena Etcher to identify potential exploitation attempts. Deploy the Sigma rule Detect Suspicious Balena Etcher Child Processes to your SIEM.

]]>highadvisoryprivilege-escalationtoctoubalena-etcher