CVE-2026-11958

Summary

Local privilege escalation by loading DLLs from a shared temporary directory in ANSSI’s DFIR-ORC, versions 10.2.7 and prior. An attacker with prior access to the system, can place a malicious DLL in C:\Windows\Temp and wait for the application to be executed. Because DFIR-ORC is extracted and executed from that location with administrative privileges, the malicious library can be loaded automatically, allowing the attacker to gain administrator privileges on the affected machine.

Affected Software

VendorProductVersion RangeStatus
ANSSIDFIR-ORC0 <= 10.2.7affected
ANSSIDFIR-ORC10.3.0unaffected

Weaknesses

  • CWE-427: CWE-427: Uncontrolled Search Path Element

Workarounds

The vulnerability has been mitigated by the ANSSI team in version 10.2.8 and fully addressed with an improved fix in 10.3.0. Workaround for earlier versions: Do not execute from a too permissive directory (v10.8.0); do not run as System unless you set the temporary directory (/tempdir) to a location with appropriate permissions. (<10.2.8).

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References