Marco Vanotti

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The issue is related to a Time-of-Check-to-Time-of-Use (ToCToU) vulnerability in the Linux kernel. When opening a file for execution via `do filp open()`, permission checking is done against the file's metadata at that moment. Later, in the `execve()` code path, the file metadata (specifically mode, `uid`, and `gid`) is used to determine if and how to set the `uid` and `gid`. However, these values may have changed since the permissions check, allowing the execution to gain unintended privileges. This can occur when package managers update the setuid bits of installed programs, potentially leading to unauthorized root privileges. The vulnerability is rare in real-world scenarios but has been observed and proven exploitable. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.50 or later. As a temporary workaround, consider restricting access to files that are being updated by package managers to minimize the risk of exploitation.