CVE-2026-54369

Name of the Vulnerable Software and Affected Versions acl versions prior to 2.4.0

Description A symlink traversal issue exists in pathname-based functions. Local attackers can escalate privileges by replacing a pathname component with a symbolic link. If an attacker controls any part of a pathname processed by a privileged caller, they can redirect ACL read or write operations to arbitrary files or directories, allowing unauthorized manipulation of access control lists. The affected functions are acl get file(), acl set file(), acl extended file(), and acl delete def file().

Recommendations Update to version 2.4.0 or later. As a temporary mitigation, restrict access to the functions acl get file(), acl set file(), acl extended file(), and acl delete def file() to prevent unauthorized pathname manipulation.