Skip to main content

libacl (acl) CVE-2026-54369

| EUVDEUVD-2026-40085 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-06-29 VulnCheck GHSA-53ch-pxc8-6g72
8.4
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Local privesc primitive requiring an unprivileged foothold (PR:L), low complexity, no user interaction; high confidentiality and integrity impact via redirected ACL writes, with no availability impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 14:21 vuln.today

DescriptionCVE.org

acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows local attackers to escalate privileges by replacing any pathname component with a symbolic link. Attackers who control any component of a pathname processed by a privileged caller can redirect ACL read or write operations to arbitrary files or directories, enabling unauthorized manipulation of access control lists and local privilege escalation.

AnalysisAI

Local privilege escalation in the Linux acl utilities (libacl) before version 2.4.0 arises because the pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() follow symbolic links during ACL read/write operations. An attacker who controls any component of a pathname processed by a privileged caller can substitute a symlink to redirect ACL operations to arbitrary files, manipulating access control lists outside their authority. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local unprivileged shell
Delivery
Identify privileged ACL operation on writable path
Exploit
Plant symlink at path component
Execution
Privileged libacl call follows symlink
Persist
ACL written to targeted sensitive file
Impact
Escalate to root privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) local access with at least an unprivileged account (PR:L), and (2) a higher-privileged caller - typically root or a setuid/daemon process - that invokes one of acl_get_file(), acl_set_file(), acl_extended_file(), or acl_delete_def_file() on a pathname whose components the attacker can influence. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N) scores 8.4 (High) and is internally consistent with the description: local vector, low complexity, low privileges required, no user interaction, with high confidentiality and integrity impact but no availability impact - matching an ACL-manipulation/privesc primitive rather than a crash. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A root-run backup or provisioning job applies ACLs with setfacl to files under a directory that a low-privileged user can write to. The attacker pre-plants a symbolic link at one of the path components pointing to a sensitive file such as /etc/shadow or a setuid binary's directory, so when the privileged process calls acl_set_file() the ACL change is redirected there, granting the attacker access and enabling privilege escalation. …
Remediation Vendor-released patch: upgrade libacl/acl to version 2.4.0 or later, or to your distribution's backported package that incorporates commits 3589787cd589b34bdd9265936e17190b6d3f17d1 and 24a227d0ab8576612194f8a56c2314389adc74a5 (https://cgit.git.savannah.nongnu.org/cgit/acl.git/commit/?id=3589787cd589b34bdd9265936e17190b6d3f17d1), as described in the VulnCheck advisory (https://www.vulncheck.com/advisories/acl-symlink-traversal-privilege-escalation-via-libacl-functions). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Linux systems running libacl versions prior to 2.4.0 (use: apt show libacl for Debian/Ubuntu; yum info acl for RHEL/CentOS). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy