Linux ACL pre-2.4.0 Symlink Traversal in acl_get_file() & others - Priv Esc
CVE-2026-54369 Published on June 29, 2026
acl < 2.4.0 Symlink Traversal Privilege Escalation via libacl Functions
acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows local attackers to escalate privileges by replacing any pathname component with a symbolic link. Attackers who control any component of a pathname processed by a privileged caller can redirect ACL read or write operations to arbitrary files or directories, enabling unauthorized manipulation of access control lists and local privilege escalation.
Vulnerability Analysis
CVE-2026-54369 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an insecure temporary file Vulnerability?
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CVE-2026-54369 has been classified to as an insecure temporary file vulnerability or weakness.
Products Associated with CVE-2026-54369
Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.
Affected Versions
acl project acl:- Before 2.4.0 is affected.