CVE-2026-4878

EUVD-2026-20910
A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.
TOCTOU
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.7 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
libcap_projectlibcap
-
redhatopenshift_container_platform
4.0
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
redhatenterprise_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libcap2
bookworm
1:2.66-4+deb12u3
fixed
bullseye
postponed
bullseye (security)
vulnerable
forky
1:2.78-1
fixed
sid
1:2.78-1
fixed
trixie
1:2.75-10+deb13u1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libcap-devel
suse enterprise desktop 15 SP7
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP4
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP5
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP6
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP7
2.63-150400.3.6.1
fixed
suse enterprise server 12 SP5
2.26-14.12.1
fixed
suse enterprise server 15 SP4
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP5
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP6
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP7
2.63-150400.3.6.1
fixed
libcap-progs
suse enterprise desktop 15 SP7
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP4
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP5
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP6
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP7
2.63-150400.3.6.1
fixed
suse enterprise server 12 SP3
2.26-14.12.1
fixed
suse enterprise server 12 SP5
2.26-14.12.1
fixed
suse enterprise server 15 SP4
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP5
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP6
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP7
2.63-150400.3.6.1
fixed
libcap2
suse enterprise desktop 15 SP7
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP4
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP5
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP6
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP7
2.63-150400.3.6.1
fixed
suse enterprise server 12 SP3
2.26-14.12.1
fixed
suse enterprise server 12 SP5
2.26-14.12.1
fixed
suse enterprise server 15 SP4
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP5
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP6
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP7
2.63-150400.3.6.1
fixed
libcap2-32bit
suse enterprise desktop 15 SP7
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP4
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP5
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP6
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP7
2.63-150400.3.6.1
fixed
suse enterprise server 12 SP3
2.26-14.12.1
fixed
suse enterprise server 12 SP5
2.26-14.12.1
fixed
suse enterprise server 15 SP4
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP5
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP6
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP7
2.63-150400.3.6.1
fixed
libpsx2
suse enterprise desktop 15 SP7
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP4
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP5
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP6
2.63-150400.3.6.1
fixed
suse enterprise sap 15 SP7
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP4
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP5
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP6
2.63-150400.3.6.1
fixed
suse enterprise server 15 SP7
2.63-150400.3.6.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
libcap
RHEL 8
0:2.48-6.el8_10.1
fixed
RHEL 9
0:2.48-10.el9_8.1
fixed
libcap-devel
RHEL 8
0:2.48-6.el8_10.1
fixed
RHEL 9
0:2.48-10.el9_8.1
fixed
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2026:12423
https://access.redhat.com/errata/RHSA-2026:12441
https://access.redhat.com/errata/RHSA-2026:13285
https://access.redhat.com/errata/RHSA-2026:14162
https://access.redhat.com/errata/RHSA-2026:14937
https://access.redhat.com/errata/RHSA-2026:19130
https://access.redhat.com/errata/RHSA-2026:19346
https://access.redhat.com/errata/RHSA-2026:19456
https://access.redhat.com/errata/RHSA-2026:19458
https://access.redhat.com/errata/RHSA-2026:7473
https://access.redhat.com/security/cve/CVE-2026-4878
https://bugzilla.redhat.com/show_bug.cgi?id=2447554
https://bugzilla.redhat.com/show_bug.cgi?id=2451615
http://www.openwall.com/lists/oss-security/2026/04/07/14
http://www.openwall.com/lists/oss-security/2026/04/07/4
http://www.openwall.com/lists/oss-security/2026/04/08/9
http://www.openwall.com/lists/oss-security/2026/04/09/5
http://www.openwall.com/lists/oss-security/2026/04/09/6