Skip to main content

libreport ABRT EUVD-2026-36639

| CVE-2026-54230 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-06-13 redhat GHSA-gvjc-4rfj-mxxj
Information Disclosure Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat
7.0
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
HIGH
qualitative
NVD
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local shell required (AV:L, PR:L), TOCTOU race makes exploitation unreliable (AC:H), and arbitrary root file overwrite yields full C/I/A impact within the same OS scope.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 13, 2026 - 02:58 vuln.today
CVE Published
Jun 13, 2026 - 02:34 cve.org
HIGH 7.0

DescriptionNVD

A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport. Event scripts write output files using shell redirections without the O_NOFOLLOW flag. If the target file is replaced with a symlink, the shell process running as root follows the symlink and writes content to the symlink target, allowing arbitrary file overwrites on the system.

AnalysisAI

Local privilege escalation via symlink following in libreport's ABRT post-create event handler scripts allows a low-privileged local user to overwrite arbitrary files on Red Hat Enterprise Linux 6, 7, and 8. Because event scripts use shell redirections without O_NOFOLLOW and run as root, swapping an expected output file for a symlink causes root to write attacker-controlled content into the symlink target. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local shell on RHEL host
Delivery
Trigger crash to spawn ABRT handler
Exploit
Race to swap output file with symlink
Execution
Root shell redirect follows symlink
Persist
Arbitrary file overwritten as root
Impact
Escalate to root via cron/shadow/PAM clobber
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires an interactive local account on a RHEL 6, 7, or 8 host with the abrt/libreport stack installed and abrtd actively processing crashes (the default on most RHEL desktop and many server installs); the attacker must be able to cause or induce a crash that ABRT will hand to its post-create event scripts and must win a TOCTOU race to swap the script's output file for a symlink before the root shell opens it for writing. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, score 7.0) accurately reflects a local, low-privileged, race-condition-dependent root file overwrite - AC:H captures the timing window between abrtd creating the directory and the root event script opening the output file. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with shell access triggers a crash of a SUID or user-owned process so that abrtd creates a crash directory under /var/spool/abrt/ and invokes the post-create event scripts as root. Before the script's shell redirection opens its output file, the attacker wins the race and replaces the expected output path inside the (partially user-writable) crash directory with a symlink pointing to a sensitive target such as /etc/cron.d/runme or /etc/shadow, causing root to truncate and write attacker-controlled content there. …
Remediation Patch available per vendor advisory - apply the libreport (and where applicable abrt) package updates from Red Hat once published per https://access.redhat.com/security/cve/CVE-2026-54230, tracking https://bugzilla.redhat.com/show_bug.cgi?id=2488568 for exact errata version numbers per RHEL 6/7/8 stream, since released patched versions are not enumerated in the supplied data. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: enumerate RHEL 6, 7, 8 systems with ABRT enabled and assess local user access scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-54228 HIGH
7.8 Jun 13

Local privilege escalation in the abrt-dbus D-Bus service on Red Hat Enterprise Linux 6, 7, and 8 allows any unprivilege
CVE-2026-11788 HIGH
7.5 Jun 09

Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
CVE-2026-54229 HIGH
7.0 Jun 13

Local privilege escalation in the abrt-dbus D-Bus service on Red Hat Enterprise Linux 6, 7, and 8 allows a low-privilege
CVE-2026-48914 MEDIUM
6.7 Jun 12

Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The

CVE-2026-11789 MEDIUM
6.5 Jun 09

Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic

Vendor StatusVendor

Share

EUVD-2026-36639 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy