The vulnerability resides in the getfattr and setfattr utilities of the attr package prior to version 2.6.0. It allows a local attacker who can influence a pathname component to insert a symbolic link into the directory hierarchy. When a privileged process calls getfattr or setfattr with a path containing the attacker‑controlled symlink, the utility follows the link and operates on an arbitrary file. This permits a local attacker to modify or read attributes of files that should be protected, and therefore to execute actions with the privileges of the privileged process. The impact is an elevation of privileges with potential to compromise system integrity and confidentiality. This flaw is classified as CWE‑59, a Symlink Or Path Traversal vulnerability.

The affected product is the attr utilities from the acl project. All releases of the attr package older than version 2.6.0 are vulnerable. This includes system installations that ship attr < 2.6.0, which may be part of various Linux distributions and other Unix-like operating systems.

The CVSS score of 8.4 marks the flaw as high severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog. The attack requires local access to a pathname component; the attacker must have permission to create a symlink in a directory that will be traversed by a privileged instance of getfattr or setfattr. Because the utilities are often invoked by system processes or scripts with elevated privileges, a local attacker can achieve privilege escalation by crafting malicious paths. The combination of high CVSS and the ability to exploit the flaw via a local symlink makes the risk significant for systems that have not updated to a patched version.