PatchSiren cyber security CVE debrief
CVE-2026-11837 Red Hat CVE debrief
A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation.
- Vendor
- Red Hat
- Product
- Red Hat Enterprise Linux 10
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of ansible.posix module, particularly those who manage SSH authorized keys, should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The ansible.posix authorized_key module is vulnerable to local privilege escalation due to its use of os.chown() instead of os.lchown() and lack of O_NOFOLLOW flag when managing SSH authorized keys.
Defensive priority
HIGH
Recommended defensive actions
- Update the ansible.posix module to use os.lchown() and O_NOFOLLOW flag when managing SSH authorized keys.
- Restrict access to the ~/.ssh directory to prevent unprivileged local users from pre-staging symbolic links.
Evidence notes
The vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys.
Official resources
CVE-2026-11837 was published on 2026-06-10T05:16:38.510Z and modified on 2026-06-10T19:24:04.320Z.