CVE-2026-4878 Red Hat CVE debrief

Who should care

System administrators managing Red Hat Enterprise Linux 8, 9, or 10 deployments and OpenShift Container Platform 4.0 environments. Security teams responsible for capability-based access control implementations and local privilege escalation prevention.

Technical summary

The `cap_set_file()` function in libcap contains a Time-of-check-to-time-of-use (TOCTOU) race condition. A local unprivileged attacker with write access to a parent directory can exploit this timing window to redirect capability updates to a different file than intended. This allows injection of capabilities into attacker-controlled executables or stripping capabilities from legitimate binaries, resulting in privilege escalation. The attack requires local access, low privileges, and user interaction, with high attack complexity.

Defensive priority

high

Recommended defensive actions

• Apply vendor patches from Red Hat Security Advisories for affected RHEL and OpenShift Container Platform installations
• Review and restrict write permissions on directories containing executables with file capabilities
• Monitor for anomalous capability changes on critical system binaries
• Consider implementing filesystem access controls to mitigate TOCTOU race conditions
• Audit systems for unexpected file capability modifications

Evidence notes

CVE published 2026-04-09; modified 2026-05-27. CVSS 3.1 vector: AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H. CWE-367 (TOCTOU) identified. Exploit discussion observed in oss-security mailing list posts dated 2026-04-09.

Official resources