CVE-2026-54371
Received Received - Intake

Symlink Traversal in attr Before 2.6.0

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulnCheck

Description
attr before version 2.6.0 contains a symlink traversal vulnerability in the getfattr and setfattr utilities that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link during directory hierarchy traversal. Attackers who control a pathname component can redirect getfattr and setfattr operations to arbitrary files by substituting a symlink, leading to local privilege escalation when getfattr or setfattr is invoked by a privileged process over an attacker-controlled path.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-54371
EUVD
EUVD-2026-40087

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
acl attr to 2.6.0 (exc)
acl acl to 2.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54371 is a symlink traversal vulnerability in the attr package before version 2.6.0, specifically affecting the getfattr and setfattr utilities.

This flaw allows local attackers who control a pathname component to replace it with a symbolic link, redirecting file operations to arbitrary files.

When these utilities are run by a privileged process on an attacker-controlled path, this can lead to local privilege escalation.

Impact Analysis

This vulnerability can allow a local attacker to escalate their privileges on the affected system.

By substituting a symbolic link in a pathname component, an attacker can redirect getfattr and setfattr operations to arbitrary files.

If these utilities are executed by a privileged process, the attacker can gain higher-level access than intended, potentially compromising system security.

Detection Guidance

This vulnerability involves the getfattr and setfattr utilities in the attr package before version 2.6.0, which are local tools used to get and set extended attributes on files. Detection involves checking the installed version of the attr package to see if it is older than 2.6.0.

You can detect if your system is vulnerable by running a command to check the version of attr installed, for example:

  • attr --version

If the version is before 2.6.0, your system is vulnerable. Additionally, you can audit usage of getfattr and setfattr commands, especially when run by privileged users, to identify if they are invoked on attacker-controlled paths.

Mitigation Strategies

The primary mitigation step is to upgrade the attr package to version 2.6.0 or later, where this symlink traversal vulnerability has been fixed.

Until the upgrade can be applied, avoid running getfattr or setfattr utilities on untrusted or attacker-controlled paths, especially with elevated privileges.

Review and restrict local user permissions to prevent attackers from controlling pathname components used by privileged processes invoking these utilities.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54371. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart