TOCTOU Symlink Traversal via getfacl/setfacl
Summary
acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link between an lstat() check and subsequent symlink-following operations such as stat(), chown(), chmod(), acl_get_file(), and acl_set_file(). Attackers who control a pathname component can redirect file access control list operations to arbitrary files when getfacl, setfacl, or chacl is invoked by a privileged process over an attacker-controlled path, resulting in local privilege escalation. A time-of-check to time-of-use (TOCTOU) race condition vulnerability was found in `acl`. By replacing a pathname component with a symbolic link between a security check and subsequent file operations, an attacker can redirect file access control list operations. This occurs when privileged processes invoke `getfacl` or `setfacl` over an attacker-controlled path, potentially leading to local privilege escalation. Red Hat severity: Moderate — CVSS 6.3 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N). Weakness: CWE-367. Fixed by RHSA-2026:34351 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- acl-main-2.4.0-0.1.hum1
Official advisory · high-confidence parse· fetched 4 hours ago·verify at source
- acl-main-2.4.0-0.1.hum1
- RHSA-2026:34351
Official advisory · high-confidence parse· fetched 4 hours ago·verify at source
Mitigation checklist
- Update the affected package(s) to the fixed version shipped in RHSA-2026:34351 (`sudo dnf update` / `yum update`).
Official advisory · high-confidence parse· fetched 4 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.