Bug 2490279 (CVE-2026-54370) - CVE-2026-54370 acl: TOCTOU Symlink Traversal via getfacl/setfacl
Summary: CVE-2026-54370 acl: TOCTOU Symlink Traversal via getfacl/setfacl
Keywords:
Status: NEW
Alias: CVE-2026-54370
Deadline: 2026-06-29
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2494173
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-18 10:59 UTC by OSIDB Bzimport
Modified: 2026-07-01 13:30 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-18 10:59:14 UTC
acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link between an lstat() check and subsequent symlink-following operations such as stat(), chown(), chmod(), acl_get_file(), and acl_set_file(). Attackers who control a pathname component can redirect file access control list operations to arbitrary files when getfacl or setfacl is invoked by a privileged process over an attacker-controlled path, resulting in local privilege escalation.


Note You need to log in before you can comment on or make changes to this bug.