Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local privesc primitive requiring an unprivileged foothold (PR:L), low complexity, no user interaction; high confidentiality and integrity impact via redirected ACL writes, with no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows local attackers to escalate privileges by replacing any pathname component with a symbolic link. Attackers who control any component of a pathname processed by a privileged caller can redirect ACL read or write operations to arbitrary files or directories, enabling unauthorized manipulation of access control lists and local privilege escalation.
AnalysisAI
Local privilege escalation in the Linux acl utilities (libacl) before version 2.4.0 arises because the pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() follow symbolic links during ACL read/write operations. An attacker who controls any component of a pathname processed by a privileged caller can substitute a symlink to redirect ACL operations to arbitrary files, manipulating access control lists outside their authority. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) local access with at least an unprivileged account (PR:L), and (2) a higher-privileged caller - typically root or a setuid/daemon process - that invokes one of acl_get_file(), acl_set_file(), acl_extended_file(), or acl_delete_def_file() on a pathname whose components the attacker can influence. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N) scores 8.4 (High) and is internally consistent with the description: local vector, low complexity, low privileges required, no user interaction, with high confidentiality and integrity impact but no availability impact - matching an ACL-manipulation/privesc primitive rather than a crash. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A root-run backup or provisioning job applies ACLs with setfacl to files under a directory that a low-privileged user can write to. The attacker pre-plants a symbolic link at one of the path components pointing to a sensitive file such as /etc/shadow or a setuid binary's directory, so when the privileged process calls acl_set_file() the ACL change is redirected there, granting the attacker access and enabling privilege escalation. … |
| Remediation | Vendor-released patch: upgrade libacl/acl to version 2.4.0 or later, or to your distribution's backported package that incorporates commits 3589787cd589b34bdd9265936e17190b6d3f17d1 and 24a227d0ab8576612194f8a56c2314389adc74a5 (https://cgit.git.savannah.nongnu.org/cgit/acl.git/commit/?id=3589787cd589b34bdd9265936e17190b6d3f17d1), as described in the VulnCheck advisory (https://www.vulncheck.com/advisories/acl-symlink-traversal-privilege-escalation-via-libacl-functions). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Linux systems running libacl versions prior to 2.4.0 (use: apt show libacl for Debian/Ubuntu; yum info acl for RHEL/CentOS). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Local privilege escalation in the attr package's getfattr and setfattr utilities (versions before 2.6.0) allows an attac
Local privilege escalation in the Linux acl package (libacl/getfacl/setfacl/chacl) before version 2.4.0 lets an unprivil
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40085
GHSA-53ch-pxc8-6g72