CVE-2026-54371
Public on 2026-06-29
Modified on 2026-07-01
Description
A flaw was found in the `attr` component, specifically within the `getfattr` utility. This vulnerability allows a local attacker to perform a symlink traversal attack. By replacing a pathname component with a symbolic link during directory hierarchy traversal, an attacker can redirect `getfattr` operations to arbitrary files. This can lead to local privilege escalation when `getfattr` is executed by a privileged process over a path controlled by the attacker.
Severity
See what this means
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | attr | Pending Fix | ||
| Amazon Linux 2023 | attr | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |