CVE-2026-15809
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
Workarounds
Restrict access to users who can create or modify container workloads through appropriate RBAC permissions, apply security controls such as Security Context Constraints (SCCs) to limit privilege escalation, and enforce policies to run containers with reduced privileges (for example, as non-root) to reduce the impact of potential exploitation. Enable SELinux on affected nodes and consider admission controls to prevent potentially unsafe workload configurations.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://access.redhat.com/security/cve/CVE-2026-15809
- https://access.redhat.com/security/cve/cve-2022-4318
- https://bugzilla.redhat.com/show_bug.cgi?id=2500846
- https://github.com/cri-o/cri-o/pull/6450
- https://github.com/cri-o/cri-o/pull/6524
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.