CVE-2026-53612

NameCVE-2026-53612
DescriptionLocal Privilege Escalation via TOCTOU in mount(8) hook_owner.c chmod/chown
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1140194

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
util-linux (PTS)bullseye (security), bullseye2.36.1-8+deb11u2fixed
bookworm2.38.1-5+deb12u3fixed
bookworm (security)2.38.1-5+deb12u1fixed
trixie2.41-5vulnerable
forky2.42.1-3vulnerable
sid2.42.1-6vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
util-linuxsourcebullseye(not affected)
util-linuxsourcebookworm(not affected)
util-linuxsource(unstable)(unfixed)1140194

Notes

[bookworm] - util-linux <not-affected> (Vulnerable code introduced later)
[bullseye] - util-linux <not-affected> (Vulnerable code introduced later)
https://github.com/util-linux/util-linux/security/advisories/GHSA-g8wm-75wr-g2vh
Fixed by: https://github.com/util-linux/util-linux/commit/d0c5adaeb3a3d823aba1377794de8f009b8152cc (v2.42.2)
Search for package or bug name: Reporting problems