Skip to main content

abrt-dbus EUVD-2026-36638

| CVE-2026-54229 HIGH
Race Condition (CWE-362)
2026-06-13 redhat GHSA-c3cq-8jxp-w66j
Race Condition Information Disclosure Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat
7.0
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
HIGH
qualitative
NVD
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local D-Bus call (AV:L) by any logged-in user (PR:L), no UI, success requires winning a narrow lock race (AC:H), yielding ownership-level control over privileged dump files (C/I/A:H).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 13, 2026 - 02:57 vuln.today
CVE Published
Jun 13, 2026 - 02:34 cve.org
HIGH 7.0

DescriptionNVD

A race condition was found in the abrt-dbus D-Bus service's ChownProblemDir method. ChownProblemDir opens the dump directory with DD_OPEN_READONLY and calls dd_chown to change ownership of all files to the caller's uid, succeeding even while post-create event handlers hold a write lock. This allows an attacker to gain filesystem-level control of the dump directory while privileged event scripts are still running.

AnalysisAI

Local privilege escalation in the abrt-dbus D-Bus service on Red Hat Enterprise Linux 6, 7, and 8 allows a low-privileged local user to race the ChownProblemDir method against still-running post-create event handlers. By invoking ChownProblemDir while privileged event scripts hold a write lock on the dump directory, the attacker gains filesystem ownership of files being written by root-context handlers, enabling tampering with privileged output and potential privilege escalation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-priv local shell on RHEL host
Delivery
Trigger or await crash creating problem dir
Exploit
Race abrt-dbus ChownProblemDir against post-create handlers
Execution
Win DD_OPEN_READONLY chown while write-lock held
Persist
Take ownership of files written by privileged scripts
Impact
Tamper with privileged output for escalation
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires an authenticated local account on a RHEL 6, 7, or 8 host with the abrt-dbus service installed and running and reachable on the system D-Bus, plus the ability to invoke the ChownProblemDir method on an existing problem directory while abrt post-create event handlers are still executing against that same directory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H correctly reflects this as a local, low-privileged but high-complexity race with full CIA impact on the abrt subsystem and any data those event scripts touch. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged shell user on a RHEL 6/7/8 host triggers a crash (or waits for one) and, in a tight loop, calls the abrt-dbus ChownProblemDir method on the new problem directory while the privileged post-create handlers (e.g. analyze/collect scripts running as the abrt user or root) are still writing into it. …
Remediation No vendor-released patch identified at time of analysis from the provided input - track https://access.redhat.com/security/cve/CVE-2026-54229 and Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=2488532 for the fixed abrt package versions for RHEL 6, 7, and 8 and apply them via yum/dnf once published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all systems running RHEL 6, 7, and 8 with abrt-dbus enabled; identify which have untrusted local user access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-54228 HIGH
7.8 Jun 13

Local privilege escalation in the abrt-dbus D-Bus service on Red Hat Enterprise Linux 6, 7, and 8 allows any unprivilege
CVE-2026-11788 HIGH
7.5 Jun 09

Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
CVE-2026-54230 HIGH
7.0 Jun 13

Local privilege escalation via symlink following in libreport's ABRT post-create event handler scripts allows a low-priv
CVE-2026-48914 MEDIUM
6.7 Jun 12

Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The

CVE-2026-11789 MEDIUM
6.5 Jun 09

Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic

Vendor StatusVendor

Share

EUVD-2026-36638 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy