CVE-2026-54370
Public on 2026-06-29
Modified on 2026-07-01
Description
A time-of-check to time-of-use (TOCTOU) race condition vulnerability was found in acl. By replacing a pathname component with a symbolic link between a security check and subsequent file operations, an attacker can redirect file access control list operations. This occurs when privileged processes invoke `getfacl` or `setfacl` over an attacker-controlled path, potentially leading to local privilege escalation.
Severity
See what this means
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | acl | Pending Fix | ||
| Amazon Linux 2023 | acl | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.3 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |