Description
util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.
Published: 2026-04-03
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a Time‑of‑Check/Time‑of‑Use race condition in the SUID mount binary (usr/bin/mount) shipped with util‑linux. During the setup of loop devices the binary validates the source file path as an unprivileged user by forking and calling setuid(), then calls realpath to resolve the path. However, it later re‑canonicalizes the same path and opens the file with root privileges (effective UID zero) without verifying that the path remained unchanged between the two operations. This missing check allows a local user to replace the original file with a symlink pointing to any root‑owned file or device while the race window exists, causing mount to read or mount that file as root. The result is unauthorized access to root‑protected files, block devices, backup images, or any file containing a valid filesystem.

Affected Systems

The issue affects the util‑linux package on Linux distributions that ship a SUID mount binary. All versions prior to 2.41.4 are vulnerable, as the bug was fixed in that release. Targeted configurations include systems that permit the loop option in /etc/fstab and provide a directory writable by the unprivileged user. On virtually all Linux distributions the SUID bit on /usr/bin/mount is set by default, so the vulnerability is present when the default configuration is used.

Risk and Exploitability

The CVSS score of 4.7 denotes a moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access: the attacker must be able to write into a directory referenced by a user,loop /etc/fstab entry, and the mount binary must retain its SUID bit. Once the race condition succeeds, the attacker can read any root‑owned file or device via the loop mount, effectively elevating privileges locally. Because the attack vector is local and depends on specific fstab entries, the risk is limited to systems that use loop mounts with user options, but the impact on confidentiality is significant.

Generated by OpenCVE AI on April 3, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade util‑linux to version 2.41.4 or later.
  • Verify that the /usr/bin/mount binary has the correct permissions (SUID bit set to 4755).
  • Remove or restrict user,loop options from /etc/fstab entries that point to writable directories.
  • Consider disabling loop device support on the system if not required.
  • If upgrading is not immediately possible, restrict unprivileged users from writing into directories referenced by /etc/fstab loop mounts.

Generated by OpenCVE AI on April 3, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Kernel
Kernel util-linux
CPEs cpe:2.3:a:kernel:util-linux:*:*:*:*:*:*:*:*
Vendors & Products Kernel
Kernel util-linux

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux util-linux
Vendors & Products Linux
Linux util-linux
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.
Title util-linux: TOCTOU Race Condition in util-linux mount(8) - Loop Device Setup
Weaknesses CWE-269
CWE-367
CWE-59
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Kernel Util-linux
Linux Util-linux
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T15:42:35.774Z

Reserved: 2026-02-19T17:25:31.100Z

Link: CVE-2026-27456

cve-icon Vulnrichment

Updated: 2026-04-06T15:38:52.451Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T22:16:25.400

Modified: 2026-04-22T16:08:55.100

Link: CVE-2026-27456

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T21:23:00Z

Links: CVE-2026-27456 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:22:05Z

Weaknesses