Skip to main content

CRI-O CVE-2026-15809

| EUVDEUVD-2026-44661 HIGH
Improper Encoding or Escaping of Output (CWE-116)
2026-07-15 redhat GHSA-9gq4-2485-q63q
7.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Attacker needs local low-privilege ability to set container env vars (AV:L/PR:L), no interaction, and injecting a privileged /etc/passwd entry yields full container compromise (C/I/A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 13:22 vuln.today
Analysis Generated
Jul 15, 2026 - 13:22 vuln.today
CVE Published
Jul 15, 2026 - 12:32 nvd
HIGH 7.8

DescriptionCVE.org

A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.

AnalysisAI

Privilege escalation in CRI-O (the OCI container runtime used by Red Hat OpenShift Container Platform 4 and many Kubernetes clusters) lets an attacker who can set container environment variables inject a newline into the HOME variable and append arbitrary lines to /etc/passwd, enabling creation of a rootful or otherwise privileged account inside the container. It is a bypass of the incomplete fix for CVE-2022-4318, whose HOME sanitization was insufficient. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain rights to set container env vars
Delivery
Craft HOME with embedded newline
Exploit
CRI-O writes injected /etc/passwd line
Execution
Privileged account created in container
Impact
Escalate privileges inside container

Vulnerability AssessmentAI

Exploitation The attacker must be able to set environment variables on a container that CRI-O creates - specifically the HOME variable - and inject a newline (\n) into its value so that /etc/passwd gains attacker-controlled lines. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8, High) describes a local, low-privilege, no-interaction attack with high confidentiality, integrity and availability impact - consistent with the description: the attacker must already be able to influence a container's environment variables (PR:L) and operates locally (AV:L), but can then plant a privileged /etc/passwd entry. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious tenant or a compromised CI pipeline with permission to define a pod's environment variables sets HOME to a value containing an embedded newline that crafts a second /etc/passwd entry (e.g. a UID 0 account with a login shell). …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the CRI-O update that includes cri-o/cri-o PR #6450 (https://github.com/cri-o/cri-o/pull/6450) and the follow-up PR #6524 (https://github.com/cri-o/cri-o/pull/6524), which reject any HOME environment value containing a newline. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all OpenShift Container Platform 4 and CRI-O deployments and identify which service accounts, applications, or CI/CD pipelines have the ability to set container environment variables in pod specifications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15809 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy