TOCTOU Vulnerability in Mount Utility from Util-Linux
CVE-2026-27456

4.7MEDIUM

Key Information:

Vendor

Util-linux

Status
Util-linux
Vendor
CVE Published:
3 April 2026

What is CVE-2026-27456?

A TOCTOU vulnerability exists in the SUID binary /usr/bin/mount of the Util-Linux package, affecting versions prior to 2.41.4. This vulnerability arises from inadequate checks during the mounting process of loop devices, where a local unprivileged user can exploit a race condition to substitute a source file with a symlink leading to root-owned files or devices. Specifically, the vulnerabilities arise from the lack of O_NOFOLLOW, inode comparison, and post-open fstat() checks. The exploitation requires an /etc/fstab entry configured for user,loop options. This condition can grant attackers unauthorized read access to critical system files and block devices, posing a serious security risk. To mitigate this vulnerability, users are advised to upgrade to version 2.41.4 or later.

Affected Version(s)

util-linux < 2.41.4

References

https://github.com/util-linux/util-linux/security/advisor...
x_refsource_CONFIRM
https://github.com/util-linux/util-linux/commit/5e390467b...
x_refsource_MISC
https://github.com/util-linux/util-linux/releases/tag/v2....
x_refsource_MISC

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.