CVE-2026-53614

NameCVE-2026-53614
DescriptionLocal Privilege Escalation via LIBMOUNT_FORCE_MOUNT2 Environment Variable - nosuid/noexec Bypass in SUID mount(8)
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1140196

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
util-linux (PTS)bullseye (security), bullseye2.36.1-8+deb11u2fixed
bookworm2.38.1-5+deb12u3fixed
bookworm (security)2.38.1-5+deb12u1fixed
trixie2.41-5vulnerable
forky2.42.1-3vulnerable
sid2.42.1-6vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
util-linuxsourcebullseye(not affected)
util-linuxsourcebookworm(not affected)
util-linuxsource(unstable)(unfixed)1140196

Notes

[bookworm] - util-linux <not-affected> (Vulnerable code introduced later)
[bullseye] - util-linux <not-affected> (Vulnerable code introduced later)
https://github.com/util-linux/util-linux/security/advisories/GHSA-67r7-8m5w-22wx
Fixed by: https://github.com/util-linux/util-linux/commit/31e37c1c7dcf25b76ccf41391fe934a75644c661 (v2.42.2)
Search for package or bug name: Reporting problems