CVE-2026-54229

Vulnerability

A race condition exists in the abrt-dbus D-Bus service's ChownProblemDir method. The method opens a dump directory with DD_OPEN_READONLY (which does not require a write lock) and calls dd_chown to change ownership of all files to the caller's UID. This operation can succeed even while post-create event handlers hold a write lock on the same dump directory, because the read-only open does not conflict with the write lock. The vulnerability is present in abrt-dbus versions prior to a fix [1][2].

Exploitation

An attacker must be able to invoke the ChownProblemDir method via D-Bus, typically as a local user. During active post-create event processing, while the event handler holds a write lock on the dump directory, the attacker sends a ChownProblemDir request. The read-only open succeeds, and dd_chown changes the directory's file ownership to the attacker's UID. After that, the attacker has direct filesystem-level access to the dump directory (can delete files, create symlinks, etc.) while the already-running event shell process continues executing with root privileges [1][2].

Impact

Successful exploitation gives the attacker filesystem-level control over the dump directory while privileged event scripts are still running with root privileges in the abrt_handle_event_t SELinux domain. This can lead to arbitrary file operations (deletion, symlink creation) and may be leveraged for further privilege escalation or system compromise [1][2].

Mitigation

As of the publication date (2026-06-13), no official patch has been released. Red Hat has acknowledged the vulnerability and is tracking it in Bugzilla [2]. Administrators should monitor for updates from Red Hat and apply the fix as soon as it becomes available. No workaround has been disclosed in the available references [1][2].