Description
acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows local attackers to escalate privileges by replacing any pathname component with a symbolic link. Attackers who control any component of a pathname processed by a privileged caller can redirect ACL read or write operations to arbitrary files or directories, enabling unauthorized manipulation of access control lists and local privilege escalation.
Published: 2026-06-29
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the libacl pathname‑based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() prior to version 2.4.0. It allows a local attacker who can influence any component of a pathname processed by a privileged caller to redirect ACL read or write operations to unintended files or directories. The ability to manipulate access control lists on arbitrary files or directories enables unauthorized elevation of privileges, as the attacker can grant themselves or others higher access rights or remove restrictions. The weakness is a path‑transmission flaw (CWE‑59).

Affected Systems

The ACL library (acl project) versions earlier than 2.4.0 are affected. Any system that uses these versions for ACL management, such as Linux distributions or custom applications that embed libacl, is vulnerable if a local user can write or symlink filenames to the processes that invoke the vulnerable functions.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity, with local privilege escalation as the primary consequence. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. However, because the flaw requires local access and the attacker must control a pathname component, the exploitation likelihood depends on local access to privileged callers. Once exploited, the attacker can modify ACLs for any file or directory that the privileged process can reach, effectively escalating privileges on the host.

Generated by OpenCVE AI on June 29, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an ACL library update to version 2.4.0 or later, which removes the pathname traversal flaw.
  • Rebuild or reinstall any packages or applications that link against libacl to ensure they use the patched library.
  • If an immediate update is not possible, restrict the use of pathname‑based ACL functions to trusted processes only, or sanitize all path components before passing them to these functions to prevent traversal.

Generated by OpenCVE AI on June 29, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Acl Project
Acl Project acl
Vendors & Products Acl Project
Acl Project acl

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows local attackers to escalate privileges by replacing any pathname component with a symbolic link. Attackers who control any component of a pathname processed by a privileged caller can redirect ACL read or write operations to arbitrary files or directories, enabling unauthorized manipulation of access control lists and local privilege escalation.
Title acl < 2.4.0 Symlink Traversal Privilege Escalation via libacl Functions
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Acl Project Acl
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T13:58:42.355Z

Reserved: 2026-06-12T20:20:02.948Z

Link: CVE-2026-54369

cve-icon Vulnrichment

Updated: 2026-06-29T13:57:37.839Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T18:00:05Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')