Bug 2451615 (CVE-2026-4878)

Summary: CVE-2026-4878 libcap: libcap: Privilege escalation via TOCTOU race condition in cap_set_file()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-04-06   

Description OSIDB Bzimport 2026-03-26 06:56:43 UTC 
A time-of-check-to-time-of-use (TOCTOU) race condition in libcap’s cap_set_file() allows a local unprivileged user to redirect file capability updates to an attacker‑controlled file and gain elevated privileges. The function first validates the target path with lstat() (which does not follow symlinks) and enforces that it is a regular, non‑symlink file, but then applies or removes security.capability using setxattr() / removexattr(), which re-resolve the path and do follow symlinks. An attacker with write access to the parent directory can exploit the window between these calls by atomically swapping the validated regular file with a symlink or alternate file using renameat2(RENAME_EXCHANGE). As a result, capabilities can be injected into or stripped from an unintended executable, for example when a privileged process (such as setcap, package scripts, or container tooling) invokes cap_set_file() on an attacker-influenced path. This can be abused to grant capabilities like CAP_SETUID to an attacker’s binary and escalate to root.
Comment 3 errata-xmlrpc 2026-04-30 17:40:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:12423 https://access.redhat.com/errata/RHSA-2026:12423
Comment 4 errata-xmlrpc 2026-04-30 18:47:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:12441 https://access.redhat.com/errata/RHSA-2026:12441
Comment 5 errata-xmlrpc 2026-05-04 01:38:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:13285 https://access.redhat.com/errata/RHSA-2026:13285