Description
A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.
Published: 2026-04-09
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

A flaw in libcap’s cap_set_file() implementation creates a time‑of‑check-to-time‑of‑use race condition. A local, unprivileged user who can write in the parent directory of a capability file can redirect capability updates to an attacker‑controlled file, thereby injecting or stripping capabilities from executables and obtaining elevated privileges. This vulnerability is a classic race condition, identified as CWE‑367.

Affected Systems

Red Hat Enterprise Linux versions 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4 are listed as affected. Any system running the vulnerable version of libcap within these products is vulnerable; the user does not need initial elevated rights beyond write access to the relevant directory.

Risk and Exploitability

The CVSS score is 6.7, indicating moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access and the ability to write in a directory that contains capability files; no publicly known exploits exist yet. Since no official workaround is available, the risk persists until the patch is applied. Users should monitor for updates and consider restricting file‑level write permissions as a temporary measure.

Generated by OpenCVE AI on April 9, 2026 at 19:23 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Apply the most recent patched version of libcap from Red Hat’s official repositories as soon as it becomes available.
  • Limit write permissions on directories that contain capability files so that only privileged users can modify them.
  • Monitor the Red Hat security advisory page and apply new updates promptly.
  • No official workaround is provided; applying the vendor patch is currently the only remediation.

Generated by OpenCVE AI on April 9, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Libcap Project
Libcap Project libcap
CPEs cpe:2.3:a:libcap_project:libcap:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Libcap Project
Libcap Project libcap

Sat, 25 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
References

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hardened Images
Redhat openshift Container Platform
Vendors & Products Redhat hardened Images
Redhat openshift Container Platform

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 09 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird

Thu, 09 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
References

Thu, 09 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.
Title Libcap: libcap: privilege escalation via toctou race condition in cap_set_file()
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-367
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Libcap Project Libcap
Redhat Enterprise Linux Hardened Images Hummingbird Openshift Openshift Container Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-28T00:54:51.083Z

Reserved: 2026-03-26T06:32:41.308Z

Link: CVE-2026-4878

cve-icon Vulnrichment

Updated: 2026-04-09T15:36:22.355Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T16:16:31.987

Modified: 2026-04-28T00:41:49.930

Link: CVE-2026-4878

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-06T00:00:00Z

Links: CVE-2026-4878 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:33Z

Weaknesses