SWUpdate TOCTOU Race Condition Vulnerability Allowing Privilege Escalation

A time-of-check time-of-use (TOCTOU) race condition vulnerability has been identified in SWUpdate versions prior to 2026.05. This vulnerability allows local unprivileged attackers to escalate privileges to root or install untrusted content using a signed update. The issue arises during the update process, where an attacker can manipulate script files to execute malicious code with elevated privileges.

Impact

Exploitation of this vulnerability allows local unprivileged users to execute untrusted scripts as the swupdate user, escalate privileges to root, and tamper with update files during the installation process.

Reproduction

To reproduce this vulnerability, create a signed update file that includes a script and a larger file blob. Initiate the update process while replacing the script file with a malicious version before SWUpdate executes it. This can be done by preparing a controlled 'scripts' directory in '/tmp' and timing the replacement of the script file to exploit the TOCTOU race condition.

Remediation

Users are advised to update SWUpdate to version 2026.05 or later. Additionally, set the temporary directory to a separate folder with restrictive permissions.