REDHAT-BUG-2451615: Race Condition
A time-of-check-to-time-of-use (TOCTOU) race condition in libcap’s cap_set_file() allows a local unprivileged user to redirect file capability updates to an attacker‑controlled file and gain elevated privileges. The function first validates the target path with lstat() (which does not follow symlinks) and enforces that it is a regular, non‑symlink file, but then applies or removes security.capability using setxattr() / removexattr(), which re-resolve the path and do follow symlinks. An attacker with write access to the parent directory can exploit the window between these calls by atomically swapping the validated regular file with a symlink or alternate file using renameat2(RENAME_EXCHANGE). As a result, capabilities can be injected into or stripped from an unintended executable, for example when a privileged process (such as setcap, package scripts, or container tooling) invokes cap_set_file() on an attacker-influenced path. This can be abused to grant capabilities like CAP_SETUID to an attacker’s binary and escalate to root.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2451615?
The severity of REDHAT-BUG-2451615 is considered to be high due to its potential for privilege escalation.
How do I fix REDHAT-BUG-2451615?
To mitigate REDHAT-BUG-2451615, it is recommended to apply security patches provided by your system vendor.
Who is affected by REDHAT-BUG-2451615?
Local unprivileged users of the libcap library are affected by REDHAT-BUG-2451615.
What causes REDHAT-BUG-2451615?
REHAT-BUG-2451615 is caused by a time-of-check-to-time-of-use race condition in the cap_set_file() function.
Can REDHAT-BUG-2451615 lead to system compromise?
Yes, REDHAT-BUG-2451615 can lead to system compromise by allowing attackers to gain elevated privileges.