Symlink traversal privilege escalation via libacl functions
Summary
acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows local attackers to escalate privileges by replacing any pathname component with a symbolic link. Attackers who control any component of a pathname processed by a privileged caller can redirect ACL read or write operations to arbitrary files or directories, enabling unauthorized manipulation of access control lists and local privilege escalation. A flaw was found in the `acl` package, specifically within its `libacl` pathname-based functions. A local attacker could exploit this vulnerability by using a symbolic link to replace a pathname component. This could allow the attacker to redirect access control list (ACL) read or write operations to arbitrary files or directories, leading to unauthorized manipulation of ACLs and ultimately local privilege escalation. Red Hat severity: Important — CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). Weakness: CWE-59. Fixed by RHSA-2026:34351 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- acl-main-2.4.0-0.1.hum1
Official advisory · high-confidence parse· fetched 1 hour ago·verify at source
- acl-main-2.4.0-0.1.hum1
- RHSA-2026:34351
Official advisory · high-confidence parse· fetched 1 hour ago·verify at source
Mitigation checklist
- Update the affected package(s) to the fixed version shipped in RHSA-2026:34351 (`sudo dnf update` / `yum update`).
Official advisory · high-confidence parse· fetched 1 hour ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.