CVE-2026-4878 | THREATINT

Description

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

PUBLISHED Reserved 2026-03-26 | Published 2026-04-09 | Updated 2026-05-27 | Assigner redhat

MEDIUM: 6.7CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Problem types

Time-of-check Time-of-use (TOCTOU) Race Condition

Product status

Default status

affected

0:2.69-7.el10_1.1 (rpm) before *

unaffected

Default status

affected

0:2.69-7.el10_2.1 (rpm) before *

unaffected

Default status

affected

0:2.69-7.el10_0.1 (rpm) before *

unaffected

Default status

affected

0:2.48-6.el8_10.1 (rpm) before *

unaffected

Default status

affected

0:2.48-10.el9_7.1 (rpm) before *

unaffected

Default status

affected

0:2.48-10.el9_8.1 (rpm) before *

unaffected

Default status

affected

0:2.48-10.el9_7.1 (rpm) before *

unaffected

Default status

affected

0:2.48-10.el9_8.1 (rpm) before *

unaffected

Default status

affected

0:2.48-9.el9_2.1 (rpm) before *

unaffected

Default status

affected

0:2.48-9.el9_4.1 (rpm) before *

unaffected

Default status

affected

0:2.48-9.el9_6.1 (rpm) before *

unaffected

Default status

affected

1778101579 (rpm) before *

unaffected

Default status

affected

1778156756 (rpm) before *

unaffected

Default status

affected

2.78-1.1.hum1 (rpm) before *

unaffected

Default status

affected

1778056267 (rpm) before *

unaffected

Default status

affected

1778056233 (rpm) before *

unaffected

Default status

affected

1778056245 (rpm) before *

unaffected

Default status

affected

1779798159 (rpm) before *

unaffected

Default status

affected

1779798164 (rpm) before *

unaffected

Default status

affected

1779798165 (rpm) before *

unaffected

Default status

affected

1779798222 (rpm) before *

unaffected

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

affected

Timeline

2026-03-26:	Reported to Red Hat.
2026-04-06:	Made public.

Credits

Red Hat would like to thank Ali Raza for reporting this issue.

References

www.openwall.com/lists/oss-security/2026/04/07/4

www.openwall.com/lists/oss-security/2026/04/07/14

www.openwall.com/lists/oss-security/2026/04/08/9

www.openwall.com/lists/oss-security/2026/04/09/5

www.openwall.com/lists/oss-security/2026/04/09/6

access.redhat.com/errata/RHSA-2026:12423 (RHSA-2026:12423) vendor-advisory

access.redhat.com/errata/RHSA-2026:12441 (RHSA-2026:12441) vendor-advisory

access.redhat.com/errata/RHSA-2026:13285 (RHSA-2026:13285) vendor-advisory

access.redhat.com/errata/RHSA-2026:14162 (RHSA-2026:14162) vendor-advisory

access.redhat.com/errata/RHSA-2026:14937 (RHSA-2026:14937) vendor-advisory

access.redhat.com/errata/RHSA-2026:19130 (RHSA-2026:19130) vendor-advisory

access.redhat.com/errata/RHSA-2026:19346 (RHSA-2026:19346) vendor-advisory

access.redhat.com/errata/RHSA-2026:19456 (RHSA-2026:19456) vendor-advisory

access.redhat.com/errata/RHSA-2026:19458 (RHSA-2026:19458) vendor-advisory

access.redhat.com/errata/RHSA-2026:20595 (RHSA-2026:20595) vendor-advisory

access.redhat.com/errata/RHSA-2026:21254 (RHSA-2026:21254) vendor-advisory

access.redhat.com/errata/RHSA-2026:21275 (RHSA-2026:21275) vendor-advisory

access.redhat.com/errata/RHSA-2026:7473 (RHSA-2026:7473) vendor-advisory

access.redhat.com/security/cve/CVE-2026-4878 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2447554

bugzilla.redhat.com/show_bug.cgi?id=2451615 (RHBZ#2451615) issue-tracking

cve.org (CVE-2026-4878)

nvd.nist.gov (CVE-2026-4878)

Download JSON

help @ threatint.eu