CVE-2026-30332

HIGH

Balena Etcher for Windows <2.1.4 - Privilege Escalation

Title source: llm

Description

A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in Balena Etcher for Windows prior to v2.1.4 allows attackers to escalate privileges and execute arbitrary code via replacing a legitimate script with a crafted payload during the flashing process.

References (3)

https://github.com/balena-io/etcher/issues/4500

https://www.balena.io/security

https://github.com/B1tBreaker/CVE-2026-30332

View Exploit ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0001

EPSS Percentile 0.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-367

Status published

Published Apr 02, 2026

Tracked Since Apr 02, 2026