Re: libcap-2.77 (since libcap-2.04) has TOCTOU privilege escalation issue

["Andrew G. Morgan" <morgan () kernel org>]

As promised, the advisory (
https://github.com/AndrewGMorgan/libcap_mirror/security/advisories/GHSA-f78v-p5hx-m7hh
) and release notes (
https://sites.google.com/site/fullycapable/release-notes-for-libcap?#h.x4zn8j3lss6r
) have been updated. I now consider this issue fully public.

FWIW Paul Ivanov tells me he had to fish my last message out of his
Spam folder, so I guess this follow up may have a similar fate.

Cheers

Andrew

On Mon, Apr 6, 2026 at 8:22 PM Andrew G. Morgan <morgan () kernel org> wrote:
> Hi,
>
> I've just released libcap-2.78 which includes a fix for a TOCTOU issue
> in libcap.
>
> The issue has been allocated the following code: CVE-2026-4878. It is
> the subject of this private bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=2447554 and is also
> written up in a github.com advisory which I will publish on Wednesday
> (this week). The github advisory tool characterizes the issue as
> CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H (Severity: Moderate 7 /
> 10).
>
> The fix for pretty much that whole range of libcap releases is this commit:
>
> https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=286ace1259992bd0c5d9016715833f2e148ac596
>
> As the code is publicly available, there is no embargo in place for
> releasing fixes.
>
> Cheers
>
> Andrew
>
> PS I tried a few times to post to the private openwall list about this
> issue 9 days ago, but my email bounced (likely because I couldn't
> effectively follow the mail formatting requirements). I might have
> realized that the emails were bounced if gmail hadn't silently placed
> the bounced replies in my SPAM folder. Sorry about that.