Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attacker needs local low-privilege ability to set container env vars (AV:L/PR:L), no interaction, and injecting a privileged /etc/passwd entry yields full container compromise (C/I/A:H).
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
AnalysisAI
Privilege escalation in CRI-O (the OCI container runtime used by Red Hat OpenShift Container Platform 4 and many Kubernetes clusters) lets an attacker who can set container environment variables inject a newline into the HOME variable and append arbitrary lines to /etc/passwd, enabling creation of a rootful or otherwise privileged account inside the container. It is a bypass of the incomplete fix for CVE-2022-4318, whose HOME sanitization was insufficient. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to set environment variables on a container that CRI-O creates - specifically the HOME variable - and inject a newline (\n) into its value so that /etc/passwd gains attacker-controlled lines. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8, High) describes a local, low-privilege, no-interaction attack with high confidentiality, integrity and availability impact - consistent with the description: the attacker must already be able to influence a container's environment variables (PR:L) and operates locally (AV:L), but can then plant a privileged /etc/passwd entry. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious tenant or a compromised CI pipeline with permission to define a pod's environment variables sets HOME to a value containing an embedded newline that crafts a second /etc/passwd entry (e.g. a UID 0 account with a login shell). … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the CRI-O update that includes cri-o/cri-o PR #6450 (https://github.com/cri-o/cri-o/pull/6450) and the follow-up PR #6524 (https://github.com/cri-o/cri-o/pull/6524), which reject any HOME environment value containing a newline. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all OpenShift Container Platform 4 and CRI-O deployments and identify which service accounts, applications, or CI/CD pipelines have the ability to set container environment variables in pod specifications. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44661
GHSA-9gq4-2485-q63q