Description
acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link between an lstat() check and subsequent symlink-following operations such as stat(), chown(), chmod(), acl_get_file(), and acl_set_file(). Attackers who control a pathname component can redirect file access control list operations to arbitrary files when getfacl, setfacl, or chacl is invoked by a privileged process over an attacker-controlled path, resulting in local privilege escalation.
Published: 2026-06-29
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The acl utility prior to version 2.4.0 suffers from a TOCTOU race condition that allows an attacker who can influence a pathname component to replace it with a symbolic link. During the execution of privileged operations such as getfacl, setfacl, or chacl, the program performs a lstat() check and later follows the symlink when calling stat(), chown(), chmod(), acl_get_file(), or acl_set_file(), enabling the attacker to redirect access‑control list modifications to an arbitrary target file. This flaw results in local privilege escalation because the privileged process can alter the permissions or ownership of files chosen by the attacker.

Affected Systems

The vulnerability affects the acl project’s acl utility for all versions earlier than 2.4.0. Users running these older releases on any Linux or Unix‑derived system are exposed if they employ getfacl, setfacl, or chacl with paths that an attacker can control.

Risk and Exploitability

With a CVSS score of 7.2 the vulnerability is considered high severity. EPSS data is not available, and the issue is not currently listed in CISA’s Known Exploited Vulnerabilities catalog. The attack vector is local; an attacker must be able to write or control a pathname component to insert a symlink before the privileged command is issued. Once this condition is met, the exploitation is straightforward and grants the attacker the privileges of the executing process.

Generated by OpenCVE AI on June 29, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade acl to version 2.4.0 or later.
  • Restrict the execution of getfacl, setfacl, and chacl by privileged services or run them under non-privileged users when possible.
  • Ensure that any directory or file names used with these commands are owned by trusted users and that symbolic links cannot be introduced into the path; consider replacing symlink‑followed operations with safe alternatives or implementing integrity checks on path components.

Generated by OpenCVE AI on June 29, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Acl Project
Acl Project acl
Vendors & Products Acl Project
Acl Project acl

Mon, 29 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link between an lstat() check and subsequent symlink-following operations such as stat(), chown(), chmod(), acl_get_file(), and acl_set_file(). Attackers who control a pathname component can redirect file access control list operations to arbitrary files when getfacl, setfacl, or chacl is invoked by a privileged process over an attacker-controlled path, resulting in local privilege escalation.
Title acl < 2.4.0 TOCTOU Symlink Traversal via getfacl/setfacl/chacl
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Acl Project Acl
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T14:51:59.992Z

Reserved: 2026-06-12T20:20:02.948Z

Link: CVE-2026-54370

cve-icon Vulnrichment

Updated: 2026-06-29T14:50:00.622Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T18:15:03Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition