CVE Catalog

CVE-2026-54370

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Summary

A TOCTOU race condition vulnerability was found in the ACL library before version 2.4.0, allowing local attackers to escalate privileges by replacing a pathname component with a symbolic link between an lstat() check and subsequent symlink-following operations such as stat(), chown(), chmod(), acl_get_file(), and acl_set_file(). Attackers who control a pathname component can redirect file access control list operations to arbitrary files when getfacl, setfacl, or chacl is invoked by a privileged process over an attacker-controlled path, resulting in local privilege escalation.

Risk Assessment

The organization faces the risk of local privilege escalation, potentially allowing an unprivileged attacker to access sensitive data or modify critical system files, which could lead to full system compromise.

Recommendation

Immediately update the ACL library to version 2.4.0 or later, which includes a fix for the TOCTOU vulnerability. In the meantime, restrict access to getfacl, setfacl, and chacl tools to trusted users only.

Original NVD description (English source)

acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link between an lstat() check and subsequent symlink-following operations such as stat(), chown(), chmod(), acl_get_file(), and acl_set_file(). Attackers who control a pathname component can redirect file access control list operations to arbitrary files when getfacl, setfacl, or chacl is invoked by a privileged process over an attacker-controlled path, resulting in local privilege escalation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS