Critical TOCTOU Vulnerability in util-linux mount (CVE-2026-27456) Allows Local Privilege Escalation

A critical Time-of-Check-Time-of-Use (TOCTOU) vulnerability has been discovered in the SUID binary `/usr/bin/mount` from the util-linux package, tracked as CVE-2026-27456. This flaw allows a local, unprivileged user to potentially escalate privileges to root by exploiting a race condition during the setup of loop devices. The vulnerability stems from the mount binary validating a source file path with user privileges but then re-canonicalizing and opening it with root privileges without verifying the path hasn't been maliciously swapped in between.

The core of the issue lies in the process flow. When mounting with specific options, the binary uses `fork()`, `setuid()`, and `realpath()` to validate the source file path under user privileges. However, after this check, it re-canonicalizes and opens the file with effective user ID (euid) set to 0 (root) without employing safeguards like `O_NOFOLLOW`, inode comparison, or a post-open `fstat()` to ensure the target hasn't changed. This creates a narrow race window where an attacker can replace the validated source file with a symbolic link pointing to any root-owned file or device, tricking the SUID binary into mounting it with elevated permissions.

Successful exploitation requires a specific pre-condition: an existing `/etc/fstab` entry with the `user,loop` options, where the configured path points to a directory under the attacker's control. This vulnerability, with a CVSS score of 4.7, represents a significant local privilege escalation risk for systems utilizing the affected versions of util-linux (prior to 2.41.4). The immediate action required is to update the util-linux package to version 2.41.4 or later to mitigate this security flaw.