Bug 2490283 (CVE-2026-54371)

Summary: CVE-2026-54371 attr: Symlink Traversal Privilege Escalation via getfattr and setfattr
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jkoehler, lphiri, rhel-process-autobot, security-response-team, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the `attr` package. This vulnerability allows a local attacker to perform a symlink traversal attack by replacing a pathname component with a symbolic link - either during directory hierarchy traversal by `getfattr` or during backup restoration by `setfattr`, which reads and resolves full pathnames from backup files. In both cases, when these utilities are executed by a privileged process over a path controlled by the attacker, this can lead to local privilege escalation.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2494172    
Bug Blocks:    
Deadline: 2026-06-29   

Description OSIDB Bzimport 2026-06-18 11:03:30 UTC
attr before version 2.6.0 contains a symlink traversal vulnerability in the getfattr utility that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link during directory hierarchy traversal. Attackers who control a pathname component can redirect getfattr operations to arbitrary files by substituting a symlink, leading to local privilege escalation when getfattr is invoked by a privileged process over an attacker-controlled path.