CVE-2026-54371: Improper Link Resolution Before File Access ('Link Following') in acl project acl
A symlink traversal vulnerability exists in the acl project's getfattr and setfattr utilities prior to version 2.6.0. This vulnerability allows local attackers to escalate privileges by substituting a symbolic link during directory traversal, causing these utilities to operate on arbitrary files. The issue arises when a pathname component is replaced with a symlink, enabling redirection of file attribute operations. This can lead to local privilege escalation when these utilities are invoked by privileged processes on attacker-controlled paths.
AI Analysis
Technical Summary
The acl project’s attr utility before version 2.6.0 contains a symlink traversal vulnerability in the getfattr and setfattr commands. Local attackers who can control a pathname component can replace it with a symbolic link during directory hierarchy traversal. This causes getfattr and setfattr to follow the symlink and operate on unintended files. When these utilities are run by privileged processes, this behavior can be exploited to escalate local privileges by manipulating file attribute operations on arbitrary files.
Potential Impact
Local attackers can escalate privileges by exploiting the symlink traversal vulnerability in getfattr and setfattr utilities. By controlling a pathname component and substituting a symbolic link, attackers can redirect file attribute operations to arbitrary files. This leads to unauthorized modification or disclosure of file attributes under the context of a privileged process, resulting in local privilege escalation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid running getfattr and setfattr on untrusted or attacker-controlled paths with elevated privileges to reduce risk.
CVE-2026-54371: Improper Link Resolution Before File Access ('Link Following') in acl project acl
Description
A symlink traversal vulnerability exists in the acl project's getfattr and setfattr utilities prior to version 2.6.0. This vulnerability allows local attackers to escalate privileges by substituting a symbolic link during directory traversal, causing these utilities to operate on arbitrary files. The issue arises when a pathname component is replaced with a symlink, enabling redirection of file attribute operations. This can lead to local privilege escalation when these utilities are invoked by privileged processes on attacker-controlled paths.
CVSS v4.0
Score 8.4high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The acl project’s attr utility before version 2.6.0 contains a symlink traversal vulnerability in the getfattr and setfattr commands. Local attackers who can control a pathname component can replace it with a symbolic link during directory hierarchy traversal. This causes getfattr and setfattr to follow the symlink and operate on unintended files. When these utilities are run by privileged processes, this behavior can be exploited to escalate local privileges by manipulating file attribute operations on arbitrary files.
Potential Impact
Local attackers can escalate privileges by exploiting the symlink traversal vulnerability in getfattr and setfattr utilities. By controlling a pathname component and substituting a symbolic link, attackers can redirect file attribute operations to arbitrary files. This leads to unauthorized modification or disclosure of file attributes under the context of a privileged process, resulting in local privilege escalation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid running getfattr and setfattr on untrusted or attacker-controlled paths with elevated privileges to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-12T20:20:02.948Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4274e827e9c79719eeb144
Added to database: 06/29/2026, 13:36:40 UTC
Last enriched: 06/29/2026, 13:51:15 UTC
Last updated: 06/29/2026, 15:57:29 UTC
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.