CVE-2026-4878: Time-of-check Time-of-use (TOCTOU) Race Condition in Red Hat Red Hat Enterprise Linux 10
A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.
AI Analysis
Technical Summary
The vulnerability CVE-2026-4878 affects the libcap library in Red Hat Enterprise Linux 10 and 9. It is a TOCTOU race condition in the cap_set_file() function that allows a local unprivileged user with write access to a parent directory to redirect capability changes to an attacker-controlled file. This can cause unintended modification of file capabilities on executables, enabling privilege escalation. Red Hat has rated the security impact as Important and assigned a CVSS v3.1 base score of 6.7. Official security advisories RHSA-2026:12423 and RHSA-2026:12441 provide updated libcap packages for multiple architectures including x86_64, s390x, ppc64le, and aarch64. The advisories include instructions for applying the updates and reference the CVE for further details.
Potential Impact
Successful exploitation allows a local unprivileged user to escalate privileges by injecting or stripping capabilities on executables via a TOCTOU race condition in libcap's cap_set_file() function. This can compromise system security by enabling unauthorized privilege escalation. The CVSS score of 6.7 reflects high impact on confidentiality, integrity, and availability. There are no reports of active exploitation in the wild at this time.
Mitigation Recommendations
Red Hat has released official security updates for libcap that fix this TOCTOU race condition vulnerability. Users of Red Hat Enterprise Linux 9 and 10 should apply the updated libcap packages as detailed in advisories RHSA-2026:12423 and RHSA-2026:12441. The advisories provide package names and download links for affected architectures. Applying these patches fully mitigates the vulnerability. No additional mitigations are required beyond applying the official updates.
CVE-2026-4878: Time-of-check Time-of-use (TOCTOU) Race Condition in Red Hat Red Hat Enterprise Linux 10
Description
A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-4878 affects the libcap library in Red Hat Enterprise Linux 10 and 9. It is a TOCTOU race condition in the cap_set_file() function that allows a local unprivileged user with write access to a parent directory to redirect capability changes to an attacker-controlled file. This can cause unintended modification of file capabilities on executables, enabling privilege escalation. Red Hat has rated the security impact as Important and assigned a CVSS v3.1 base score of 6.7. Official security advisories RHSA-2026:12423 and RHSA-2026:12441 provide updated libcap packages for multiple architectures including x86_64, s390x, ppc64le, and aarch64. The advisories include instructions for applying the updates and reference the CVE for further details.
Potential Impact
Successful exploitation allows a local unprivileged user to escalate privileges by injecting or stripping capabilities on executables via a TOCTOU race condition in libcap's cap_set_file() function. This can compromise system security by enabling unauthorized privilege escalation. The CVSS score of 6.7 reflects high impact on confidentiality, integrity, and availability. There are no reports of active exploitation in the wild at this time.
Mitigation Recommendations
Red Hat has released official security updates for libcap that fix this TOCTOU race condition vulnerability. Users of Red Hat Enterprise Linux 9 and 10 should apply the updated libcap packages as detailed in advisories RHSA-2026:12423 and RHSA-2026:12441. The advisories provide package names and download links for affected architectures. Applying these patches fully mitigates the vulnerability. No additional mitigations are required beyond applying the official updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-03-26T06:32:41.308Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-4878","vendor":"Red Hat"}]
Threat ID: 69d7ce5e1cc7ad14dae8f92c
Added to database: 4/9/2026, 4:05:50 PM
Last enriched: 5/19/2026, 6:00:02 PM
Last updated: 5/24/2026, 9:41:35 PM
Views: 112
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.