Skip to main content

abrt-dbus EUVD-2026-36637

| CVE-2026-54228 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-13 redhat GHSA-6pjg-wmm6-r8rp
Denial Of Service Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat
7.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
HIGH
qualitative
NVD
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.8 MEDIUM

Local authenticated user racing a TOCTOU window justifies AV:L/AC:H/PR:L; primitive is root-owned file write so I:H, with limited confidentiality and availability impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 13, 2026 - 02:56 vuln.today
CVE Published
Jun 13, 2026 - 02:34 cve.org
HIGH 7.8

DescriptionNVD

A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method. Between dump directory creation and post-create event execution, any local user can call SetElement to write arbitrary text files into the root-owned dump directory, bypassing package validation and allowing crashes of unpackaged binaries to survive post-create processing.

AnalysisAI

Local privilege escalation in the abrt-dbus D-Bus service on Red Hat Enterprise Linux 6, 7, and 8 allows any unprivileged local user to win a TOCTOU race against the SetElement method, writing arbitrary text files into root-owned dump directories. By exploiting the gap between dump directory creation and post-create event execution, an attacker bypasses package validation and persists crash data for unpackaged binaries inside privileged paths, with no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local shell on RHEL host
Delivery
Trigger crash to create dump directory
Exploit
Race SetElement against post-create handler
Execution
Write attacker-controlled files into root-owned dump dir
Persist
Bypass package validation for unpackaged crash
Impact
Leverage planted files for further privileged abuse
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an interactive local session on a RHEL 6/7/8 host where the abrt-dbus service is running and reachable on the system bus, and the attacker must be able to invoke the SetElement method on org.freedesktop.problems and trigger or observe a fresh crash dump directory in order to race it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N with H/H/H impacts yields a 7.8 score, which is consistent with a local user gaining the ability to plant root-owned files and influence a root-context post-create flow. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local unprivileged user with shell access (for example, a low-trust developer on a shared RHEL build host, or an attacker who has already gained a foothold via a web app) triggers a crash to create a dump directory, then races abrt-dbus by repeatedly calling SetElement against the new directory before the post-create handler runs. Winning the race lets them deposit attacker-controlled text files into the root-owned dump directory and preserve crash records for unpackaged binaries that the post-create policy would normally discard, providing a foothold for further abuse of any tooling that later trusts those files.
Remediation No vendor-released patch version is identified at time of analysis in the supplied data, so monitor https://access.redhat.com/security/cve/CVE-2026-54228 and Bugzilla 2488531 and apply the abrt/abrt-dbus errata for each RHEL stream as soon as Red Hat publishes them, prioritizing RHEL 8 where standard maintenance still applies and using Extended Lifecycle Support channels for RHEL 6/7 if available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory RHEL 6, 7, 8 systems with abrt-dbus enabled; categorize by criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11788 HIGH
7.5 Jun 09

Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
CVE-2026-54230 HIGH
7.0 Jun 13

Local privilege escalation via symlink following in libreport's ABRT post-create event handler scripts allows a low-priv
CVE-2026-54229 HIGH
7.0 Jun 13

Local privilege escalation in the abrt-dbus D-Bus service on Red Hat Enterprise Linux 6, 7, and 8 allows a low-privilege
CVE-2026-48914 MEDIUM
6.7 Jun 12

Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The

CVE-2026-11789 MEDIUM
6.5 Jun 09

Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic

Vendor StatusVendor

Share

EUVD-2026-36637 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy