Description
acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows local attackers to escalate privileges by replacing any pathname component with a symbolic link. Attackers who control any component of a pathname processed by a privileged caller can redirect ACL read or write operations to arbitrary files or directories, enabling unauthorized manipulation of access control lists and local privilege escalation.
Problem types
Improper Link Resolution Before File Access ('Link Following')
Product status
Any version before 2.4.0
Credits
Andrew Tridgell
Andreas Gruenbacher
References
access.redhat.com/security/cve/CVE-2026-54369
bugzilla.redhat.com/show_bug.cgi?id=2490277 (RHBZ#2490277)
security.access.redhat.com/...2/vex/2026/cve-2026-54369.json
access.redhat.com/errata/RHSA-2026:34351
cgit.git.savannah.nongnu.org/...b34bdd9265936e17190b6d3f17d1
cgit.git.savannah.nongnu.org/...76612194f8a56c2314389adc74a5
www.vulncheck.com/...ivilege-escalation-via-libacl-functions