CVE-2026-11958 PUBLISHED

Local privilege escalation in ANSSI’s DFIR-ORC

Assigner: INCIBE
Reserved: 11.06.2026 Published: 18.06.2026 Updated: 18.06.2026

Local privilege escalation by loading DLLs from a shared temporary directory in ANSSI’s DFIR-ORC, versions 10.2.7 and prior. An attacker with prior access to the system, can place a malicious DLL in C:\Windows\Temp and wait for the application to be executed. Because DFIR-ORC is extracted and executed from that location with administrative privileges, the malicious library can be loaded automatically, allowing the attacker to gain administrator privileges on the affected machine.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 7.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	Present	Availability	High	Availability	High
Privileges Required	Low
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	ANSSI
Product	DFIR-ORC
Versions	Default: unaffected affected from 0 to 10.2.7 (incl.) Version 10.3.0 is unaffected

Workarounds

The vulnerability has been mitigated by the ANSSI team in version 10.2.8 and fully addressed with an improved fix in 10.3.0. Workaround for earlier versions: Do not execute from a too permissive directory (v10.8.0); do not run as System unless you set the temporary directory (/tempdir) to a location with appropriate permissions. (<10.2.8).

Solutions

The vulnerability has been fully addressed with an improved fix in 10.3.0.

Credits

Rémi Delabrosse finder
Nicolas Rodrigues finder

References

Problem Types

CWE-427: Uncontrolled Search Path Element CWE