CVE-2026-3428

CVE-2026-3428 PUBLISHED

Assigner: ASUS
Reserved: 02.03.2026 Published: 16.04.2026 Updated: 16.04.2026

A Download of Code Without Integrity Check vulnerability in the update modules in ASUS Member Center(华硕大厅) allows a local user to achieve privilege escalation to Administrator via exploitation of a Time-of-check Time-of-use (TOC-TOU) during the update process, where an unexpected payload is substituted for a legitimate one immediately after download, and subsequently executed with administrative privileges upon user consent. Refer to the 'Security Update for ASUS Member Center' section on the ASUS Security Advisory for more information.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 5.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	None
Attack Complexity	High	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	Low
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	ASUS
Product	Member Center(华硕大厅)
Versions	Default: unaffected Version 1.6.6.4 and earlier is affected

Vendor

ASUS

Product

Member Center(华硕大厅)

Versions

Default: unaffected

Version 1.6.6.4 and earlier is affected

References

Problem Types

CWE-494 Download of Code Without Integrity Check CWE
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition CWE