CVE-2026-54370

Public on 2026-06-29
Modified on 2026-07-01
Description
A time-of-check to time-of-use (TOCTOU) race condition vulnerability was found in acl. By replacing a pathname component with a symbolic link between a security check and subsequent file operations, an attacker can redirect file access control list operations. This occurs when privileged processes invoke `getfacl` or `setfacl` over an attacker-controlled path, potentially leading to local privilege escalation.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
6.3
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core acl Pending Fix
Amazon Linux 2023 acl Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N