Bug 2494173 - CVE-2026-54370 acl: TOCTOU Symlink Traversal via getfacl/setfacl [fedora-all]
Summary: CVE-2026-54370 acl: TOCTOU Symlink Traversal via getfacl/setfacl [fedora-all]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: acl
Version: rawhide
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukáš Zaoral
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["1af30249-b14a-4d59-8000-6...
Depends On:
Blocks: CVE-2026-54370
TreeView+ depends on / blocked
 
Reported: 2026-06-29 13:16 UTC by Mauro Matteo Cascella
Modified: 2026-07-11 01:11 UTC (History)
6 users (show)

Fixed In Version: acl-2.4.0-1.fc45 acl-2.4.0-1.fc44
Clone Of:
Environment:
Last Closed: 2026-07-11 01:11:53 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2026-06-29 13:16:39 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link between an lstat() check and subsequent symlink-following operations such as stat(), chown(), chmod(), acl_get_file(), and acl_set_file(). Attackers who control a pathname component can redirect file access control list operations to arbitrary files when getfacl or setfacl is invoked by a privileged process over an attacker-controlled path, resulting in local privilege escalation.

Comment 1 Lukáš Zaoral 2026-07-09 08:41:53 UTC
FEDORA-2026-a948378fff (acl-2.4.0-1.fc45) has been submitted as an update to Fedora 45.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-a948378fff

Comment 2 Fedora Update System 2026-07-09 08:50:35 UTC
FEDORA-2026-67504c329b (acl-2.4.0-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-67504c329b

Comment 3 Fedora Update System 2026-07-09 08:50:40 UTC
FEDORA-2026-6b9a652463 (acl-2.4.0-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-6b9a652463

Comment 4 Fedora Update System 2026-07-10 01:27:24 UTC
FEDORA-2026-6b9a652463 has been pushed to the Fedora 44 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-6b9a652463`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-6b9a652463

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2026-07-10 01:43:59 UTC
FEDORA-2026-67504c329b has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-67504c329b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-67504c329b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2026-07-11 01:11:53 UTC
FEDORA-2026-6b9a652463 (acl-2.4.0-1.fc44) has been pushed to the Fedora 44 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.