CVE-2026-54230

Summary

A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport. Event scripts write output files using shell redirections without the O_NOFOLLOW flag. If the target file is replaced with a symlink, the shell process running as root follows the symlink and writes content to the symlink target, allowing arbitrary file overwrites on the system.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-59: Improper Link Resolution Before File Access ('Link Following')

Workarounds

The following practices would help for avoiding exposure and mitigate this flaw:

  • Disable or remove ABRT if it is not required. On RHEL 8 systems where ABRT is installed, it can be disabled with: systemctl disable –now abrtd.service abrt-journal-core.service abrt-oops.service abrt-xorg.service
  • On Fedora systems, consider using systemd-coredump instead of ABRT for crash handling
  • Restrict local user access to systems running ABRT, as this vulnerability requires local access

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

Additional References

References