Local privilege escalation in ANSSI’s DFIR-ORC
Summary
| CVE | CVE-2026-11958 |
|---|---|
| State | PUBLISHED |
| Assigner | INCIBE |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-18 14:17:20 UTC |
| Updated | 2026-06-22 19:45:16 UTC |
| Description | Local privilege escalation by loading DLLs from a shared temporary directory in ANSSI’s DFIR-ORC, versions 10.2.7 and prior. An attacker with prior access to the system, can place a malicious DLL in C:\Windows\Temp and wait for the application to be executed. Because DFIR-ORC is extracted and executed from that location with administrative privileges, the malicious library can be loaded automatically, allowing the attacker to gain administrator privileges on the affected machine. |
Risk And Classification
Primary CVSS: v4.0 7.3 HIGH from [email protected]
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.001020000 probability, percentile 0.011280000 (date 2026-06-25)
Problem Types: CWE-427 | CWE-427 CWE-427: Uncontrolled Search Path Element
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 7.3 | HIGH | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/C... |
| 4.0 | CNA | CVSS | 7.3 | HIGH | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/DFIR-ORC/dfir-orc/releases/tag/v10.3.0 | [email protected] | github.com | |
| www.incibe.es/en/incibe-cert/notices/aviso/local-privilege-escalation-anssi... | [email protected] | www.incibe.es | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Rémi Delabrosse (en)
CNA: Nicolas Rodrigues (en)
Additional Advisory Data
Solutions
CNA: The vulnerability has been fully addressed with an improved fix in 10.3.0.
Workarounds
CNA: The vulnerability has been mitigated by the ANSSI team in version 10.2.8 and fully addressed with an improved fix in 10.3.0. Workaround for earlier versions: Do not execute from a too permissive directory (v10.8.0); do not run as System unless you set the temporary directory (/tempdir) to a location with appropriate permissions. (<10.2.8).