CVE-2025-41259

UNKNOWN 0.0

SWUpdate Untrusted Script Execution via Signed Update TOCTOU

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

SWUpdate before 2026.05 is affected by a time-of-check time-of-use (TOCTOU) race condition that allows local unprivileged attackers to escalate privileges to root or install untrusted contents using a signed update.

CWE	CWE-367
Vendor	sbabic
Product	swupdate
Published	Jun 3, 2026
Last Updated	Jun 3, 2026

Stay Ahead of the Next One

Get instant alerts for sbabic swupdate

Be the first to know when new unknown vulnerabilities affecting sbabic swupdate are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

sbabic / SWUpdate

0 < 2026.05

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251206-01_SWUpdate_Untrusted_Script_Execution_via_Signed_Update_TOCTOU github.com: https://github.com/sbabic/swupdate/commit/f4bd64260e233e207354d68d572b1cbc3e63689d github.com: https://github.com/sbabic/swupdate

Credits

Reinhard Kugler (SBA Research)