TOCTOU Race Condition Vulnerability in acl by GNU
CVE-2026-54370

7.2HIGH

Key Information:

Vendor

Acl Project

Status
Acl
Vendor
CVE Published:
29 June 2026

What is CVE-2026-54370?

The acl library prior to version 2.4.0 is susceptible to a race condition vulnerability, specifically a time-of-check to time-of-use (TOCTOU) race condition. This flaw enables local attackers to escalate their privileges by manipulating a pathname component with a symbolic link. By conducting a lstat() check followed by symlink-following operations like stat(), chown(), and chmod(), attackers can redirect file access control list operations to arbitrary files. Consequently, this can lead to unauthorized access to privileged processes that utilize functions like getfacl, setfacl, or chacl over an attacker-controlled path.

Affected Version(s)

acl 0

References

https://cgit.git.savannah.nongnu.org/cgit/acl.git/commit/...
patch
https://cgit.git.savannah.nongnu.org/cgit/acl.git/commit/...
issue-tracking
https://www.vulncheck.com/advisories/acl-toctou-symlink-t...
third-party-advisory

CVSS V4

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andrew Tridgell
Andreas Gruenbacher
.