CVE-2026-27456
Received Received - Intake
TOCTOU Vulnerability in util-linux mount Allows Root File Access

Publication date: 2026-04-03

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-22
Generated
2026-05-07
AI Q&A
2026-04-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27456
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kernel util-linux to 2.41.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows a local unprivileged user to gain unauthorized read access to root-protected files and block devices, including backup images and disk volumes. Such unauthorized access to sensitive data could potentially lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.


Can you explain this vulnerability to me?

This vulnerability is a Time-of-Check-Time-of-Use (TOCTOU) flaw in the SUID binary /usr/bin/mount from util-linux versions prior to 2.41.4. When setting up loop devices, the mount binary first validates the source file path with user privileges, but then re-canonicalizes and opens the file with root privileges without verifying that the path has not changed in the meantime. Because it does not use protections like O_NOFOLLOW, inode comparison, or post-open fstat(), a local unprivileged user can replace the source file with a symlink pointing to any root-owned file or device during this race window. This causes the mount binary to open and mount the targeted file as root.

Exploitation requires an /etc/fstab entry with user,loop options pointing to a directory writable by the attacker and the mount binary having the SUID bit set, which is the default on most Linux distributions.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the SUID binary /usr/bin/mount from util-linux prior to version 2.41.4. To detect if your system is vulnerable, you should check the version of util-linux installed and verify if the mount binary has the SUID bit set.

  • Check the util-linux version: run `util-linux --version` or check the package version via your package manager.
  • Verify if /usr/bin/mount has the SUID bit set: run `ls -l /usr/bin/mount` and look for an 's' in the user permission bits (e.g., -rwsr-xr-x).
  • Check /etc/fstab for entries with user and loop options pointing to directories writable by unprivileged users.

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, you should upgrade util-linux to version 2.41.4 or later where the issue is patched.

Additionally, you can temporarily remove the SUID bit from /usr/bin/mount to prevent exploitation, though this may affect functionality.

  • Upgrade util-linux to version 2.41.4 or newer.
  • Remove the SUID bit from /usr/bin/mount using `chmod u-s /usr/bin/mount`.
  • Review /etc/fstab entries for user,loop options and restrict write permissions on directories referenced there.

How can this vulnerability impact me? :

This vulnerability allows a local unprivileged user to gain unauthorized read access to root-protected files and block devices. This includes sensitive data such as backup images, disk volumes, and any file containing a valid filesystem. Essentially, an attacker can mount and read files or devices that should only be accessible by root.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart