Severity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local-only TOCTOU (AV:L) needing an unprivileged account (PR:L) and a hard-to-win race (AC:H); successful escalation compromises file ACLs/ownership giving high C/I, no direct availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link between an lstat() check and subsequent symlink-following operations such as stat(), chown(), chmod(), acl_get_file(), and acl_set_file(). Attackers who control a pathname component can redirect file access control list operations to arbitrary files when getfacl, setfacl, or chacl is invoked by a privileged process over an attacker-controlled path, resulting in local privilege escalation.
AnalysisAI
Local privilege escalation in the Linux acl package (libacl/getfacl/setfacl/chacl) before version 2.4.0 lets an unprivileged local user who controls a component of a pathname win a TOCTOU race, redirecting privileged file-ACL operations to arbitrary files. By swapping a path component for a symlink between the lstat() validation and the follow-on stat()/chown()/chmod()/acl_get_file()/acl_set_file() calls, an attacker can manipulate ownership and ACLs on targets they should not control, yielding root-equivalent escalation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access with low privileges (PR:L) and the ability to control at least one component of a pathname (e.g., a writable parent directory) that a privileged process subsequently passes to getfacl, setfacl, or chacl. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N) scores 7.2 (High) and is internally consistent with the description: exploitation is local (AV:L), requires existing low-level access (PR:L), needs no user interaction (UI:N), and is high-complexity (AC:H) because it depends on winning a non-deterministic race window. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a shared Linux host, an unprivileged user creates a directory tree they control and waits for (or triggers) a root cron job or admin script that runs setfacl/chown over that path. They repeatedly swap an intermediate path component for a symlink to /etc or a SUID binary, and on a successful race the privileged ACL/ownership change is applied to the attacker's chosen target, granting them write access and root escalation. … |
| Remediation | Vendor-released patch: upgrade to acl 2.4.0 or later, which contains the upstream fix (commits 3589787cd589b34bdd9265936e17190b6d3f17d1 and 24a227d0ab8576612194f8a56c2314389adc74a5 at https://cgit.git.savannah.nongnu.org/cgit/acl.git/commit/?id=3589787cd589b34bdd9265936e17190b6d3f17d1); on managed distributions apply the vendor's backported acl package update once available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running acl package versions before 2.4.0 and assess exposure based on multi-user system inventory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Local privilege escalation in the attr package's getfattr and setfattr utilities (versions before 2.6.0) allows an attac
Local privilege escalation in the Linux acl utilities (libacl) before version 2.4.0 arises because the pathname-based fu
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40086
GHSA-r45p-762r-6pqj