Skip to main content

Util Linux EUVDEUVD-2026-18864

| CVE-2026-27456 MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2026-04-03 GitHub_M
4.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.7 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 08:30 nvd
Patch available
EUVD ID Assigned
Apr 03, 2026 - 22:15 euvd
EUVD-2026-18864
Analysis Generated
Apr 03, 2026 - 22:15 vuln.today
CVE Published
Apr 03, 2026 - 21:23 nvd
MEDIUM 4.7

DescriptionGitHub Advisory

util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.

AnalysisAI

Unauthorized read access to root-owned files via TOCTOU race condition in util-linux mount binary (versions prior to 2.41.4) allows local users with existing fstab entries to replace loop device source files with symlinks pointing to sensitive files or block devices, bypassing intended access controls. The vulnerability requires moderate exploitation effort (AC:H) and authenticated user access (PR:L) but grants disclosure of confidential data including filesystem backups and disk volumes. No public exploit code or active CISA KEV status identified at time of analysis.

Technical ContextAI

The mount utility in util-linux is a SUID binary that handles mounting filesystems, including loop device setup. CWE-59 (Time-of-Check-Time-of-Use vulnerability) manifests when the mount binary validates the source file path under user privileges via fork()+setuid()+realpath() to check legitimacy, but then re-canonicalizes and opens that same path with root privileges (euid=0) without ensuring the inode or path contents remain unchanged. The race window between these two operations allows a local attacker to perform a symlink swap, causing the SUID process to open an attacker-selected file with elevated privileges. The vulnerability exists because the code does not employ protective measures such as O_NOFOLLOW flag on open(), inode comparison between check and use phases, or post-open fstat() validation to confirm the opened file matches the original validated path.

RemediationAI

Vendor-released patch available in util-linux version 2.41.4 and later; upgrade immediately via package manager or build from source at https://github.com/util-linux/util-linux/releases/tag/v2.41.4. The upstream fix commit 5e390467b26a3cf3fecc04e1a0d482dff3162fc4 (referenced at https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4) addresses the TOCTOU race by adding proper post-open inode validation and O_NOFOLLOW handling. As a workaround pending upgrade, system administrators can remove user,loop entries from /etc/fstab or restrict mount to sudoers-only (removing the SUID bit from /usr/bin/mount, though this impacts non-root users' ability to mount loop devices). Consult vendor advisory at https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g for distribution-specific patch availability.

CVE-2015-5224 CRITICAL
9.8 Aug 23

The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name coll

CVE-2021-37600 MEDIUM POC
5.5 Jul 30

An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use

CVE-2024-28085 LOW POC
3.3 Mar 27

wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to othe

CVE-2014-9114 HIGH
7.8 Mar 31

Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code. Rated high severity (CVSS 7.8), this v

CVE-2016-2779 HIGH
7.8 Feb 07

runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes

CVE-2018-7738 HIGH
7.8 Mar 07

In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands

CVE-2015-5218 LOW POC
2.1 Nov 09

Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of servi

CVE-2022-0563 MEDIUM
5.5 Feb 21

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. Rated medium severity (C

CVE-2016-5011 MEDIUM
4.6 Apr 11

The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate at

CVE-2013-0157 LOW
2.1 Jan 21

(a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the ex

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

EUVD-2026-18864 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy