Description
rtapi_app in linuxcnc-uspace in LinuxCNC before 2.9.9 allows privilege escalation. It is installed SUID root and loads shared library modules via dlopen() by using a user-supplied module name. Insufficient validation of the module name allows path traversal, enabling an unprivileged local user to load an arbitrary shared library. Because the process retains elevated privileges during module loading, this results in local privilege escalation to root.
Published: 2026-06-30
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The rtapi_app binary in LinuxCNC before version 2.9.9 runs as a SUID root program and loads shared libraries via dlopen() based on a module name supplied by the user. The program does not properly validate this module name, allowing a local user to perform a path‑traversal attack and load an arbitrary shared library. Because the process retains elevated privileges during the load, the attacker gains root access on the affected system.

Affected Systems

LinuxCNC LinuxCNC versions prior to 2.9.9 (including 2.9.8 and earlier). The vulnerability exists in the linuxcnc-uspace component, specifically rtapi_app.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.4 and is considered a high‑risk, local privilege escalation. No EPSS score is available, and it is not listed in the CISA KEV catalog. The attack requires an unprivileged local account with access to the rtapi_app binary. The attacker simply supplies a crafted module path that reaches an arbitrary location on the filesystem, then the elevated process loads the malicious library, achieving full system compromise.

Generated by OpenCVE AI on June 30, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LinuxCNC to version 2.9.9 or later, which removes the insecure loader logic
  • Remove or disable the SUID bit from rtapi_app to prevent it from running with root privileges
  • Restrict write access to directories that can be targeted by module names, ensuring only root can place arbitrary libraries

Generated by OpenCVE AI on June 30, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title SUID Root Privilege Escalation via Path Traversal in LinuxCNC rtapi_app

Tue, 30 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description rtapi_app in linuxcnc-uspace in LinuxCNC before 2.9.9 allows privilege escalation. It is installed SUID root and loads shared library modules via dlopen() by using a user-supplied module name. Insufficient validation of the module name allows path traversal, enabling an unprivileged local user to load an arbitrary shared library. Because the process retains elevated privileges during module loading, this results in local privilege escalation to root.
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-30T01:09:34.141Z

Reserved: 2026-06-30T01:09:33.668Z

Link: CVE-2026-58302

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T04:00:08Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')