CVE-2026-54370 | acl before version 2.4.0 contains a time-of-check to time-of… | CVSS 6.3 MEDIUM

Description

acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link between an lstat() check and subsequent symlink-following operations such as stat(), chown(), chmod(), acl_get_file(), and acl_set_file(). Attackers who control a pathname component can redirect file access control list operations to arbitrary files when getfacl, setfacl, or chacl is invoked by a privileged process over an attacker-controlled path, resulting in local privilege escalation.

Metadata

CVE ID: CVE-2026-54370
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-12 20:20 UTC
Published: 2026-06-29 12:38 UTC
Last updated: 2026-06-29 14:51 UTC
Primary CWE: CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
Vendor / Product: acl project / acl
Sources: cve.org · NVD

Severity & Metrics

6.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
acl project	acl	—	0 < 2.4.0

Weakness (CWE)

CWE	Source	Description
CWE-367	cna	Time-of-check Time-of-use (TOCTOU) Race Condition

CVSS scores (2)

Score	Severity	Version	Source	Vector
7.2	HIGH	4.0	cna	CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
6.3	MEDIUM	3.1	cna	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

References (3)