A time-of-check-to-time-of-use (TOCTOU) race condition in libcap’s cap_set_file() allows a local unprivileged user to redirect file capability updates to an attacker‑controlled file and gain elevated privileges. The function first validates the target path with lstat() (which does not follow symlinks) and enforces that it is a regular, non‑symlink file, but then applies or removes security.capability using setxattr() / removexattr(), which re-resolve the path and do follow symlinks. An attacker with write access to the parent directory can exploit the window between these calls by atomically swapping the validated regular file with a symlink or alternate file using renameat2(RENAME_EXCHANGE). As a result, capabilities can be injected into or stripped from an unintended executable, for example when a privileged process (such as setcap, package scripts, or container tooling) invokes cap_set_file() on an attacker-influenced path. This can be abused to grant capabilities like CAP_SETUID to an attacker’s binary and escalate to root.
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:12423 https://access.redhat.com/errata/RHSA-2026:12423
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:12441 https://access.redhat.com/errata/RHSA-2026:12441
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:13285 https://access.redhat.com/errata/RHSA-2026:13285
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:19130 https://access.redhat.com/errata/RHSA-2026:19130
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:19346 https://access.redhat.com/errata/RHSA-2026:19346
This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:19456 https://access.redhat.com/errata/RHSA-2026:19456
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:19458 https://access.redhat.com/errata/RHSA-2026:19458
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:20595 https://access.redhat.com/errata/RHSA-2026:20595
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:21254 https://access.redhat.com/errata/RHSA-2026:21254
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:22957 https://access.redhat.com/errata/RHSA-2026:22957
The following items have addressed this issue. Support for Red Hat Enterprise Linux 10.0 Extended Updates https://access.redhat.com/errata/RHSA-2026:22957 https://5letter-words.io
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On Via RHSA-2026:24346 https://access.redhat.com/errata/RHSA-2026:24346
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.19 Via RHSA-2026:23245 https://access.redhat.com/errata/RHSA-2026:23245
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2026:23233 https://access.redhat.com/errata/RHSA-2026:23233
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.18 Via RHSA-2026:25181 https://access.redhat.com/errata/RHSA-2026:25181