CVE-2026-54231

Vulnerability

A content injection vulnerability exists in the ABRT post-create event handler scripts within libreport. The event script queries the systemd journal for log entries matching the crashed process using journalctl with _COMM and _UID filters, and writes the results to files in the dump directory (e.g., var_log_messages) without sanitizing embedded control characters [1][2]. Affected versions are those of libreport prior to a fix; the specific version range is not disclosed in available references. The script filters out audit lines but does not sanitize syslog entries for control characters like newline (\n), allowing an attacker to control content written by root [2].

Exploitation

An attacker needs only local user access to the system. The attacker pre-populates the systemd journal by setting the process name to a common name (e.g., "sleep") via prctl(PR_SET_NAME) and then calling syslog() with a message containing embedded newline characters and arbitrary content [2]. When a crash of a process with that name occurs, the ABRT post-create event runs journalctl and writes the journal output (including the injected lines) into dump directory files. The injected content appears on separate lines, enabling the attacker to determine what root writes to those files [2].

Impact

A successful attack allows a local user to inject arbitrary content into files created by root in the ABRT dump directory. This compromises the integrity of those files, and if the injected content is later processed or executed by other tools or administrators, it could lead to further privilege escalation or arbitrary code execution. The immediate gain is control over the content written by root, potentially impacting system reliability or security [1][2].

Mitigation

As of the publication date (2026-06-13), no fixed version has been announced in the available references [1][2]. Red Hat Security has acknowledged the issue (Bugzilla #2488571), and a patch is expected. Until a fix is released, administrators should restrict local user access to the systemd journal and consider disabling the ABRT event scripts if not essential. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Monitor Red Hat security advisories for updated libreport packages [1].