CVE-2026-11958
HighCVSS 7.3Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
The vulnerability allows local privilege escalation by loading malicious DLLs from a shared temporary directory in DFIR-ORC versions 10.2.7 and prior. An attacker with access to the system can place a malicious DLL in C:\Windows\Temp, enabling automatic loading when the application is executed with administrative privileges.
Risk Assessment
The organization is at risk of an attacker gaining control over the system, potentially leading to data loss or unauthorized access to resources. The escalation of privileges to administrator level poses a serious security threat.
Recommendation
It is recommended to update DFIR-ORC to the latest version to mitigate this vulnerability. Additionally, access to the C:\Windows\Temp directory should be restricted, and its contents monitored for potential threats.
Original NVD description (English source)
Local privilege escalation by loading DLLs from a shared temporary directory in ANSSI’s DFIR-ORC, versions 10.2.7 and prior. An attacker with prior access to the system, can place a malicious DLL in C:\Windows\Temp and wait for the application to be executed. Because DFIR-ORC is extracted and executed from that location with administrative privileges, the malicious library can be loaded automatically, allowing the attacker to gain administrator privileges on the affected machine.

