{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-11958", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2026-06-11T07:32:37.322Z", "datePublished": "2026-06-18T11:01:16.727Z", "dateUpdated": "2026-06-18T12:28:09.762Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-06-18T11:01:16.727Z"}, "title": "Local privilege escalation in ANSSI\u2019s DFIR-ORC", "datePublic": "2026-06-18T10:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-427", "description": "CWE-427: Uncontrolled Search Path Element", "type": "CWE"}]}], "affected": [{"vendor": "ANSSI", "product": "DFIR-ORC", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "10.2.7", "versionType": "custom"}, {"status": "unaffected", "version": "10.3.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Local privilege escalation by loading DLLs from a shared temporary directory in ANSSI\u2019s DFIR-ORC, versions 10.2.7 and prior. An attacker with prior access to the system, can place a malicious DLL in C:\\Windows\\Temp and wait for the application to be executed. Because DFIR-ORC is extracted and executed from that location with administrative privileges, the malicious library can be loaded automatically, allowing the attacker to gain administrator privileges on the affected machine.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Local privilege escalation by loading DLLs from a shared temporary directory in ANSSI\u2019s DFIR-ORC, versions 10.2.7 and prior. An attacker with prior access to the system, can place a malicious DLL in C:\\Windows\\Temp and wait for the application to be executed. Because DFIR-ORC is extracted and executed from that location with administrative privileges, the malicious library can be loaded automatically, allowing the attacker to gain administrator privileges on the affected machine."}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/local-privilege-escalation-anssis-dfir-orc", "tags": ["patch"]}, {"url": "https://github.com/DFIR-ORC/dfir-orc/releases/tag/v10.3.0", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.3, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}}], "workarounds": [{"lang": "en", "value": "The vulnerability has been mitigated by the ANSSI team in version 10.2.8 and fully addressed with an improved fix in 10.3.0. Workaround for earlier versions: Do not execute from a too permissive directory (v10.8.0); do not run as System unless you set the temporary directory (/tempdir) to a location with appropriate permissions. (<10.2.8).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The vulnerability has been mitigated by the ANSSI team in version 10.2.8 and fully addressed with an improved fix in 10.3.0. Workaround for earlier versions: Do not execute from a too permissive directory (v10.8.0); do not run as System unless you set the temporary directory (/tempdir) to a location with appropriate permissions. (&lt;10.2.8)."}]}], "solutions": [{"lang": "en", "value": "The vulnerability has been\u00a0 fully addressed with an improved fix in 10.3.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The vulnerability has been&nbsp; fully addressed with an improved fix in 10.3.0."}]}], "credits": [{"lang": "en", "value": "R\u00e9mi Delabrosse", "type": "finder"}, {"lang": "en", "value": "Nicolas Rodrigues", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-18T12:28:00.801964Z", "id": "CVE-2026-11958", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-18T12:28:09.762Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-11958", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-18T12:28:00.801964Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-18T12:28:05.462Z"}}], "cna": {"title": "Local privilege escalation in ANSSI\u2019s DFIR-ORC", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "R\u00e9mi Delabrosse"}, {"lang": "en", "type": "finder", "value": "Nicolas Rodrigues"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.3, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ANSSI", "product": "DFIR-ORC", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "10.2.7"}, {"status": "unaffected", "version": "10.3.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vulnerability has been\u00a0 fully addressed with an improved fix in 10.3.0.", "supportingMedia": [{"type": "text/html", "value": "The vulnerability has been&nbsp; fully addressed with an improved fix in 10.3.0.", "base64": false}]}], "datePublic": "2026-06-18T10:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/local-privilege-escalation-anssis-dfir-orc", "tags": ["patch"]}, {"url": "https://github.com/DFIR-ORC/dfir-orc/releases/tag/v10.3.0", "tags": ["vendor-advisory", "patch"]}], "workarounds": [{"lang": "en", "value": "The vulnerability has been mitigated by the ANSSI team in version 10.2.8 and fully addressed with an improved fix in 10.3.0. Workaround for earlier versions: Do not execute from a too permissive directory (v10.8.0); do not run as System unless you set the temporary directory (/tempdir) to a location with appropriate permissions. (<10.2.8).", "supportingMedia": [{"type": "text/html", "value": "The vulnerability has been mitigated by the ANSSI team in version 10.2.8 and fully addressed with an improved fix in 10.3.0. Workaround for earlier versions: Do not execute from a too permissive directory (v10.8.0); do not run as System unless you set the temporary directory (/tempdir) to a location with appropriate permissions. (&lt;10.2.8).", "base64": false}]}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "Local privilege escalation by loading DLLs from a shared temporary directory in ANSSI\u2019s DFIR-ORC, versions 10.2.7 and prior. An attacker with prior access to the system, can place a malicious DLL in C:\\Windows\\Temp and wait for the application to be executed. Because DFIR-ORC is extracted and executed from that location with administrative privileges, the malicious library can be loaded automatically, allowing the attacker to gain administrator privileges on the affected machine.", "supportingMedia": [{"type": "text/html", "value": "Local privilege escalation by loading DLLs from a shared temporary directory in ANSSI\u2019s DFIR-ORC, versions 10.2.7 and prior. An attacker with prior access to the system, can place a malicious DLL in C:\\Windows\\Temp and wait for the application to be executed. Because DFIR-ORC is extracted and executed from that location with administrative privileges, the malicious library can be loaded automatically, allowing the attacker to gain administrator privileges on the affected machine.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427: Uncontrolled Search Path Element"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-06-18T11:01:16.727Z"}}}, "cveMetadata": {"cveId": "CVE-2026-11958", "state": "PUBLISHED", "dateUpdated": "2026-06-18T12:28:09.762Z", "dateReserved": "2026-06-11T07:32:37.322Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2026-06-18T11:01:16.727Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.2"}

{}

{}