{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27456", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-19T17:25:31.100Z", "datePublished": "2026-04-03T21:23:00.984Z", "dateUpdated": "2026-04-06T15:42:35.774Z"}, "containers": {"cna": {"title": "util-linux: TOCTOU Race Condition in util-linux mount(8) - Loop Device Setup", "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "lang": "en", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"}, {"name": "https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4", "tags": ["x_refsource_MISC"], "url": "https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4"}, {"name": "https://github.com/util-linux/util-linux/releases/tag/v2.41.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/util-linux/util-linux/releases/tag/v2.41.4"}], "affected": [{"vendor": "util-linux", "product": "util-linux", "versions": [{"version": "< 2.41.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:23:00.984Z"}, "descriptions": [{"lang": "en", "value": "util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4."}], "source": {"advisory": "GHSA-qq4x-vfq4-9h9g", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:38:42.794607Z", "id": "CVE-2026-27456", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:42:35.774Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27456", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:38:42.794607Z"}}}], "references": [{"url": "https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:38:52.451Z"}}], "cna": {"title": "util-linux: TOCTOU Race Condition in util-linux mount(8) - Loop Device Setup", "source": {"advisory": "GHSA-qq4x-vfq4-9h9g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "util-linux", "product": "util-linux", "versions": [{"status": "affected", "version": "< 2.41.4"}]}], "references": [{"url": "https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g", "name": "https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4", "name": "https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/util-linux/util-linux/releases/tag/v2.41.4", "name": "https://github.com/util-linux/util-linux/releases/tag/v2.41.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T21:23:00.984Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27456", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:42:35.774Z", "dateReserved": "2026-02-19T17:25:31.100Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T21:23:00.984Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4."}], "id": "CVE-2026-27456", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T22:16:25.400", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4"}, {"source": "security-advisories@github.com", "url": "https://github.com/util-linux/util-linux/releases/tag/v2.41.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-367"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "util-linux: TOCTOU in the mount program when setting up loop devices", "id": "2454956", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454956"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-367", "details": ["util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.", "A flaw was found in util-linux. When an /etc/fstab entry is configured with the user,loop options, the `mount` program checks the file path with user permissions but later opens it with root privileges. This creates a brief Time-of-Check-Time-of-Use (TOCTOU) window where an attacker can substitute the intended file with a malicious symbolic link. This allows a local unprivileged user to mount any root-owned file or block device that contains a valid filesystem, gaining full read access to its contents."], "mitigation": {"lang": "en:us", "value": "To mitigate this flaw, remove the 'user' option from any loop mounts in the /etc/fstab file or ensure the the source path points to a root-owned directory where unprivileged users do not have write permissions."}, "name": "CVE-2026-27456", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "util-linux", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "util-linux-ng", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "util-linux", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "util-linux", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "util-linux", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Fix deferred", "package_name": "syft/syft", "product_name": "Red Hat Hardened Images 1"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-03T21:23:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27456\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27456\nhttps://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4\nhttps://github.com/util-linux/util-linux/releases/tag/v2.41.4\nhttps://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g"], "statement": "This vulnerability is only exploitable when an `/etc/fstab` entry exists with `user,loop` options and its source path points to a directory where the attacker has write permission (e.g., the user's home directory). Also, this issue allows an attacker to mount any root-owned file or block device containing a valid filesystem, causing information disclosure. There is no memory corruption or arbitrary code execution. Due to these reasons, this flaw has been rated with a moderate severity.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.41.4)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "util-linux", "source": "cna", "vendor": "util-linux"}, "product": "util-linux", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T23:22:14.418838+00:00", "value": {"mitigation_remediation": ["Upgrade util\u2011linux to version 2.41.4 or later.", "Verify that the /usr/bin/mount binary has the correct permissions (SUID bit set to 4755).", "Remove or restrict user,loop options from /etc/fstab entries that point to writable directories.", "Consider disabling loop device support on the system if not required.", "If upgrading is not immediately possible, restrict unprivileged users from writing into directories referenced by /etc/fstab loop mounts."], "summary": {"action": "Patch Immediately", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The issue affects the util\u2011linux package on Linux distributions that ship a SUID mount binary. All versions prior to 2.41.4 are vulnerable, as the bug was fixed in that release. Targeted configurations include systems that permit the loop option in /etc/fstab and provide a directory writable by the unprivileged user. On virtually all Linux distributions the SUID bit on /usr/bin/mount is set by default, so the vulnerability is present when the default configuration is used.", "description_and_impact": "The vulnerability is a Time\u2011of\u2011Check/Time\u2011of\u2011Use race condition in the SUID mount binary (usr/bin/mount) shipped with util\u2011linux. During the setup of loop devices the binary validates the source file path as an unprivileged user by forking and calling setuid(), then calls realpath to resolve the path. However, it later re\u2011canonicalizes the same path and opens the file with root privileges (effective UID zero) without verifying that the path remained unchanged between the two operations. This missing check allows a local user to replace the original file with a symlink pointing to any root\u2011owned file or device while the race window exists, causing mount to read or mount that file as root. The result is unauthorized access to root\u2011protected files, block devices, backup images, or any file containing a valid filesystem.", "risk_and_exploitability": "The CVSS score of 4.7 denotes a moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access: the attacker must be able to write into a directory referenced by a user,loop /etc/fstab entry, and the mount binary must retain its SUID bit. Once the race condition succeeds, the attacker can read any root\u2011owned file or device via the loop mount, effectively elevating privileges locally. Because the attack vector is local and depends on specific fstab entries, the risk is limited to systems that use loop mounts with user options, but the impact on confidentiality is significant."}}}}, "created": "2026-04-06T21:22:27.678833+00:00", "updated": "2026-04-06T22:22:05.753247+00:00", "vendors": ["linux", "linux$PRODUCT$util-linux"]}