MNBSD-2026-61: unlinkat(2)/funlinkat(2) ignore the AT_RESOLVE_BENEATH flag (CVE-2026-49421)

Severity: Unknown

Affected Package: kernel/vfs

Summary: unlinkat(2)/funlinkat(2) ignore the AT_RESOLVE_BENEATH flag (CVE-2026-49421)

Description

kern_funlinkat_ex() validated the AT_RESOLVE_BENEATH flag but then invoked the underlying path lookup with a hardcoded flag argument, silently dropping the flag so that path resolution was not actually restricted. 1. AT_RESOLVE_BENEATH containment bypass (CWE-22, CVE-2026-49421) - a caller relying on AT_RESOLVE_BENEATH with unlinkat(2)/funlinkat(2) for path containment could resolve and delete files outside the intended directory tree. Applications that use AT_RESOLVE_BENEATH with unlinkat(2)/funlinkat(2) to confine path resolution on untrusted paths lose that containment guarantee.

Affected Versions

kernel/vfs

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2026-49421

Published: July 01, 2026
Last Modified: July 01, 2026