Skip to main content

libcap CVE-2026-4878

| EUVD-2026-20910 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-04-09 redhat
Privilege Escalation Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9 Red Hat Openshift Container Platform 4
7.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local unprivileged user (AV:L, PR:L) must win a TOCTOU race (AC:H) with no user interaction; successful capability injection yields full root, so C:H/I:H/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
6.7 MEDIUM
AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Red Hat
6.7 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 11, 2026 - 10:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 11, 2026 - 10:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 11, 2026 - 10:22 vuln.today
cvss_changed
Severity Changed
Jun 11, 2026 - 10:22 NVD
MEDIUM HIGH
CVSS changed
Jun 11, 2026 - 10:22 NVD
6.7 (MEDIUM) 7.0 (HIGH)
EUVD ID Assigned
Apr 09, 2026 - 15:30 euvd
EUVD-2026-20910
Analysis Generated
Apr 09, 2026 - 15:30 vuln.today
CVE Published
Apr 09, 2026 - 14:49 nvd
MEDIUM 6.7

DescriptionNVD

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the cap_set_file() function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

AnalysisAI

Local privilege escalation in libcap's cap_set_file() function affects Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4, where a TOCTOU race condition allows an unprivileged user with write access to a parent directory to redirect file capability updates onto an attacker-controlled file. Successful exploitation can inject or strip Linux file capabilities on arbitrary executables, yielding full privilege escalation on the host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain unprivileged local shell on RHEL/OpenShift host
Delivery
Identify privileged setcap workflow targeting writable parent directory
Exploit
Race cap_set_file() path-check via rename/symlink swap
Execution
Capability xattr written to attacker-controlled binary
Persist
Execute binary to inherit CAP_SETUID or equivalent
Impact
Escalate to root
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires an unprivileged local shell on an affected RHEL 6-10 or OpenShift 4 host (PR:L, AV:L) and write access to a parent directory of a path that a privileged process will pass to cap_set_file()/setcap; the attacker must also win a TOCTOU race between the library's path resolution and the underlying setxattr() call, which is why AC:H. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H scores 7.0 High and accurately reflects the threat model: local access and low privileges are required, attack complexity is High because winning a race window is non-deterministic, but impact is total on confidentiality, integrity, and availability once the race is won. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unprivileged user on a shared RHEL host monitors a directory they can write to which is also used by a packaging or build script that runs setcap as root on a freshly built binary. As the script invokes cap_set_file() the attacker wins the TOCTOU window by renaming or symlinking the validated path so the security.capability xattr is written onto an attacker-staged binary granting CAP_SETUID, which they then execute to obtain root; no public exploit is identified at time of analysis and the High attack complexity reflects the race window.
Remediation Patch available per vendor advisory: update libcap to the fixed package versions distributed in RHSA-2026:7473 (and the follow-on errata RHSA-2026:12423, RHSA-2026:12441, RHSA-2026:13285) for Red Hat Enterprise Linux 6/7/8/9/10 and OpenShift Container Platform 4, and to the equivalents in SUSE-SU-2026:1432 / SUSE-SU-2026:1433 for SUSE; on RHEL run 'dnf update libcap' and reboot or restart services that link against it. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all RHEL 6-10 and OpenShift 4 systems; identify which run unprivileged services or containers; assess criticality tier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11788 HIGH
7.5 Jun 09

Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
CVE-2026-48914 MEDIUM
6.7 Jun 12

Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The

CVE-2026-11789 MEDIUM
6.5 Jun 09

Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic
CVE-2026-11786 MEDIUM
6.5 Jun 09

Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack
CVE-2026-11611 MEDIUM
6.5 Jun 08

Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container private-registry/harbor-core:1.1.2-2.22 Container private-registry/harbor-exporter:1.1.2-2.22 Container private-registry/harbor-jobservice:1.1.2-2.22 Container private-registry/harbor-portal:1.1.2-2.23 Container private-registry/harbor-registry:1.1.2-2.22 Container private-registry/harbor-registryctl:1.1.2-2.22 Container private-registry/harbor-trivy-adapter:1.1.2-2.25 Container suse/manager/4.3/proxy-httpd:4.3.17.9.76.10 Container suse/manager/4.3/proxy-salt-broker:4.3.17.9.66.11 Container suse/manager/4.3/proxy-squid:4.3.17.9.75.8 Container suse/manager/4.3/proxy-ssh:4.3.17.9.66.8 Container suse/manager/4.3/proxy-tftpd:4.3.17.9.66.9 Container suse/sle-micro/base-5.5:2.0.4-5.8.263 Container suse/sle-micro/kvm-5.5:2.0.4-3.5.507 Affected
Container suse/ltss/sle12.5/sles12sp5:8.5.225 Affected
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.163 Container suse/sl-micro/6.0/base-os-container:2.1.3-7.130 Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.147 Affected
Container suse/sl-micro/6.0/toolbox:13.2-9.96 Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

CVE-2026-4878 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy