CVE-2026-54228

Vulnerability

A time-of-check time-of-use (TOCTOU) race condition exists in the SetElement method of the abrt-dbus D-Bus service [1][2]. Between the creation of a dump directory by abrtd and the execution of post-create event scripts, a local user can call SetElement to write arbitrary text files into the root-owned dump directory. The access check (dd_accessible_by_uid) reads the uid element inside the dump directory, which matches the caller's UID because the crash was triggered by the caller's process [2]. No specific affected version is disclosed, but the vulnerability is present in the abrt-dbus component.

Exploitation

An attacker with local user access can trigger a crash of any process to initiate dump directory creation. During the several-second window before post-create event processing, the attacker repeatedly calls SetElement to plant arbitrary text files into the dump directory. For example, the attacker can set the component element to a value that bypasses package validation (abrt-action-save-package-data) [2]. No additional privileges beyond a local account are required.

Impact

Successful exploitation allows the attacker to inject arbitrary text files into the dump directory, specifically to manipulate the component element. This bypasses package validation, enabling crash reports from unpackaged binaries to survive post-create processing [2]. The impact is limited to bypassing a security check, but could be leveraged to trigger further vulnerabilities in event scripts or to persist crash data in an unexpected manner.

Mitigation

As of the publication date (2026-06-13), no official patch has been released [1][2]. Red Hat has acknowledged the issue via Bugzilla [2]. Users should monitor for updates from their distribution vendor. No workaround is documented in the available references.