Symlink Traversal Vulnerability in attr Utilities by Savannah
CVE-2026-54371

8.4HIGH

Key Information:

Vendor

Acl Project

Status
Acl
Vendor
CVE Published:
29 June 2026

What is CVE-2026-54371?

The attr utilities before version 2.6.0 are susceptible to a symlink traversal vulnerability. This flaw allows local attackers to exploit the getfattr and setfattr functionalities. By manipulating pathname components with symbolic links during directory hierarchy traversal, attackers can redirect operations to arbitrary files. This redirection could potentially allow unauthorized privilege escalation when these operations are executed by a privileged process that follows an attacker-controlled path.

Affected Version(s)

acl 0

References

https://cgit.git.savannah.nongnu.org/cgit/attr.git/commit...
patch
https://cgit.git.savannah.nongnu.org/cgit/attr.git/commit...
issue-tracking
https://www.vulncheck.com/advisories/attr-symlink-travers...
third-party-advisory

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andrew Tridgell
Andreas Gruenbacher
.