Severity: Unknown
Affected Package: kernel/vfs
Summary: unlinkat(2)/funlinkat(2) ignore the AT_RESOLVE_BENEATH flag (CVE-2026-49421)
kern_funlinkat_ex() validated the AT_RESOLVE_BENEATH flag but then invoked the underlying path lookup with a hardcoded flag argument, silently dropping the flag so that path resolution was not actually restricted. 1. AT_RESOLVE_BENEATH containment bypass (CWE-22, CVE-2026-49421) - a caller relying on AT_RESOLVE_BENEATH with unlinkat(2)/funlinkat(2) for path containment could resolve and delete files outside the intended directory tree. Applications that use AT_RESOLVE_BENEATH with unlinkat(2)/funlinkat(2) to confine path resolution on untrusted paths lose that containment guarantee.
No specific recommendations provided.
Aliases: CVE-2026-49421
Published: July 01, 2026
Last Modified: July 01, 2026