A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the cap_set_file() function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.
Weakness
The product checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libcap | Libcap_project | - (including) | - (including) |
| Openshift_container_platform | Redhat | 4.0 (including) | 4.0 (including) |
| Enterprise_linux | Redhat | 8.0 (including) | 8.0 (including) |
| Enterprise_linux | Redhat | 9.0 (including) | 9.0 (including) |
| Enterprise_linux | Redhat | 10.0 (including) | 10.0 (including) |
| Red Hat Enterprise Linux 10 | RedHat | libcap-0:2.69-7.el10_1.1 | * |
| Red Hat Enterprise Linux 10 | RedHat | libcap-0:2.69-7.el10_2.1 | * |
| Red Hat Enterprise Linux 10.0 Extended Update Support | RedHat | libcap-0:2.69-7.el10_0.1 | * |
| Red Hat Enterprise Linux 8 | RedHat | libcap-0:2.48-6.el8_10.1 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | libcap-0:2.48-4.el8_6.1 | * |
| Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On | RedHat | libcap-0:2.48-4.el8_6.1 | * |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | RedHat | libcap-0:2.48-5.el8_8.1 | * |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | RedHat | libcap-0:2.48-5.el8_8.1 | * |
| Red Hat Enterprise Linux 9 | RedHat | libcap-0:2.48-10.el9_7.1 | * |
| Red Hat Enterprise Linux 9 | RedHat | libcap-0:2.48-10.el9_8.1 | * |
| Red Hat Enterprise Linux 9 | RedHat | libcap-0:2.48-10.el9_7.1 | * |
| Red Hat Enterprise Linux 9 | RedHat | libcap-0:2.48-10.el9_8.1 | * |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | RedHat | libcap-0:2.48-9.el9_2.1 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | libcap-0:2.48-9.el9_4.1 | * |
| Red Hat Enterprise Linux 9.6 Extended Update Support | RedHat | libcap-0:2.48-9.el9_6.1 | * |
| Red Hat OpenShift Container Platform 4.15 | RedHat | rhcos-415.92.202606030318-0 | * |
| Red Hat OpenShift Container Platform 4.16 | RedHat | rhcos-416.94.202606051757-0 | * |
| Red Hat OpenShift Container Platform 4.18 | RedHat | rhcos-418.94.202606051320-0 | * |
| Red Hat OpenShift Container Platform 4.19 | RedHat | rhcos-4.19.9.6.202606031700-0 | * |
| Red Hat AI Inference Server 3.2 | RedHat | rhaiis/model-opt-cuda-rhel9:1780681984 | * |
| Red Hat Discovery 2 | RedHat | discovery/discovery-server-rhel9:1778101579 | * |
| Red Hat Discovery 2 | RedHat | discovery/discovery-ui-rhel9:1778156756 | * |
| Red Hat Hardened Images | RedHat | libcap-main-2.78-1.1.hum1 | * |
| Red Hat Insights proxy 1.5 | RedHat | insights-proxy/insights-proxy-container-rhel9:1780420428 | * |
| Red Hat OpenShift distributed tracing 3.9.3 | RedHat | rhosdt/opentelemetry-collector-rhel9:1778056267 | * |
| Red Hat OpenShift distributed tracing 3.9.3 | RedHat | rhosdt/opentelemetry-rhel9-operator:1778056233 | * |
| Red Hat OpenShift distributed tracing 3.9.3 | RedHat | rhosdt/opentelemetry-target-allocator-rhel9:1778056245 | * |
| Red Hat Update Infrastructure 5 | RedHat | rhui5/cds-rhel9:1779798159 | * |
| Red Hat Update Infrastructure 5 | RedHat | rhui5/haproxy-rhel9:1779798164 | * |
| Red Hat Update Infrastructure 5 | RedHat | rhui5/installer-rhel9:1779798165 | * |
| Red Hat Update Infrastructure 5 | RedHat | rhui5/rhua-rhel9:1779798222 | * |
| Libcap2 | Ubuntu | esm-infra/xenial | * |
| Libcap2 | Ubuntu | jammy | * |
| Libcap2 | Ubuntu | noble | * |
| Libcap2 | Ubuntu | questing | * |
| Libcap2 | Ubuntu | upstream | * |
Potential Mitigations
Related Attack Patterns
References
- https://access.redhat.com/errata/RHSA-2026:12423
- https://access.redhat.com/errata/RHSA-2026:12441
- https://access.redhat.com/errata/RHSA-2026:13285
- https://access.redhat.com/errata/RHSA-2026:14162
- https://access.redhat.com/errata/RHSA-2026:14937
- https://access.redhat.com/errata/RHSA-2026:19130
- https://access.redhat.com/errata/RHSA-2026:19346
- https://access.redhat.com/errata/RHSA-2026:19456
- https://access.redhat.com/errata/RHSA-2026:19458
- https://access.redhat.com/errata/RHSA-2026:20595
- https://access.redhat.com/errata/RHSA-2026:21254
- https://access.redhat.com/errata/RHSA-2026:21275
- https://access.redhat.com/errata/RHSA-2026:22634
- https://access.redhat.com/errata/RHSA-2026:22957
- https://access.redhat.com/errata/RHSA-2026:23233
- https://access.redhat.com/errata/RHSA-2026:23245
- https://access.redhat.com/errata/RHSA-2026:24346
- https://access.redhat.com/errata/RHSA-2026:25096
- https://access.redhat.com/errata/RHSA-2026:7473
- https://access.redhat.com/security/cve/CVE-2026-4878
- https://bugzilla.redhat.com/show_bug.cgi?id=2447554
- https://bugzilla.redhat.com/show_bug.cgi?id=2451615
- http://www.openwall.com/lists/oss-security/2026/04/07/14
- http://www.openwall.com/lists/oss-security/2026/04/07/4
- http://www.openwall.com/lists/oss-security/2026/04/08/9
- http://www.openwall.com/lists/oss-security/2026/04/09/5
- http://www.openwall.com/lists/oss-security/2026/04/09/6