ACL Race Condition Leads to Local Privilege Escalation

Executive Summary

CVE-2026-54370 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability in the acl software versions prior to 2.4.0.

This flaw allows local attackers to escalate privileges by replacing a pathname component with a symbolic link between an lstat() check and subsequent symlink-following operations such as stat(), chown(), chmod(), acl_get_file(), and acl_set_file().

Attackers who control any part of a pathname processed by a privileged caller can redirect file access control list operations to arbitrary files when commands like getfacl, setfacl, or chacl are invoked by a privileged process over an attacker-controlled path.

This redirection results in local privilege escalation by enabling unauthorized manipulation of access control lists.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow a local attacker to escalate their privileges on a system by exploiting the race condition to manipulate access control list operations.

By replacing a pathname component with a symbolic link, an attacker can redirect privileged operations to arbitrary files, potentially gaining unauthorized access or control over sensitive files.

This can lead to unauthorized modification or disclosure of files that should be protected, compromising system security.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a time-of-check to time-of-use (TOCTOU) race condition in the acl software before version 2.4.0, which can be exploited locally by replacing pathname components with symbolic links.

Detection typically involves verifying the installed version of the acl package to see if it is prior to 2.4.0, as well as monitoring for suspicious symbolic link manipulations in paths used by privileged processes invoking getfacl, setfacl, or chacl.

• Check the acl version installed on your system using a command like: `acl --version` or `dpkg -l | grep acl` (on Debian-based systems) or `rpm -q acl` (on RPM-based systems).
• Audit usage of getfacl, setfacl, and chacl commands by privileged users or processes to detect unusual or unauthorized invocations.
• Use filesystem monitoring tools (e.g., inotifywait) to watch for creation or replacement of symbolic links in directories accessed by privileged processes.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the acl software to version 2.4.0 or later, where this TOCTOU race condition vulnerability has been fixed.

Until the upgrade can be applied, restrict local user access to privileged processes that invoke getfacl, setfacl, or chacl to minimize the risk of exploitation.

Avoid running these ACL-related commands on paths that can be controlled or influenced by untrusted users to prevent symbolic link redirection attacks.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows local attackers to escalate privileges and redirect file access control list operations to arbitrary files, potentially enabling unauthorized manipulation of access control lists.

Such unauthorized privilege escalation and manipulation of access controls could lead to violations of security and privacy requirements mandated by common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Useful 0 Not Useful 0