CVE-2026-54230

Vulnerability

A symlink following vulnerability exists in the ABRT post-create event handler scripts in /etc/libreport/events.d/abrt_event.conf, part of libreport. The scripts write output files using shell redirections such as printf ... > $DUMP_DIR/var_log_messages, which invoke open() with O_WRONLY|O_CREAT|O_TRUNC without the O_NOFOLLOW flag [1][2]. If the target file is replaced with a symlink, the shell process—running as root in the abrt_handle_event_t SELinux domain (effectively unconfined)—follows the symlink and writes content to the symlink target [2]. This affects all libreport versions prior to the fix.

Exploitation

An attacker must first gain filesystem control of the ABRT dump directory, for example by exploiting a separate vulnerability or by having write access to that directory [2]. The attacker replaces an output file (such as var_log_messages) with a symlink pointing to a sensitive system file, e.g., /var/spool/cron/root. When a crash report triggers the post-create event handler, the root shell follows the symlink and overwrites the target file with crash report data [2]. No user interaction beyond the trigger is required.

Impact

Successful exploitation results in arbitrary file overwrites as root [1]. This can enable privilege escalation, for example by overwriting cron entries or configuration files. The confidentiality, integrity, and availability impact is high due to the root privilege context.

Mitigation

As of the publication date, no fixed version has been released by Red Hat [1][2]. A workaround is to restrict write access to the ABRT dump directory or to enforce SELinux policies that block symlink following in the abrt_handle_event_t domain. Users should monitor the Red Hat advisory for updates. If no fix is available, this should be considered a high-severity exposure.