CVE-2026-54370

Name of the Vulnerable Software and Affected Versions acl versions prior to 2.4.0

Description A time-of-check to time-of-use (TOCTOU) race condition occurs when a local attacker replaces a pathname component with a symbolic link between an lstat() check and subsequent symlink-following operations. These operations include stat(), chown(), chmod(), acl get file(), and acl set file(). If a privileged process invokes getfacl, setfacl, or chacl over a path controlled by the attacker, file access control list operations can be redirected to arbitrary files, leading to local privilege escalation.

Recommendations Update to version 2.4.0 or later.