HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-54229Published Modified CNA redhat

CVE-2026-54229: Abrt: chownproblemdir succeeds during active post-create event processing due to inadequate locking

A race condition was found in the abrt-dbus D-Bus service's ChownProblemDir method. ChownProblemDir opens the dump directory with DD_OPEN_READONLY and calls dd_chown to change ownership of all files to the caller's uid, succeeding even while post-create event handlers hold a write lock. This allows an attacker to gain filesystem-level control of the dump directory while privileged event scripts are still running.

Metrics

CVSS v3.1
7.0
Severity
HIGH
Fixed in
Affected Products
3

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A race condition in the abrt-dbus service's ChownProblemDir method allows a local attacker to hijack a crash dump directory on Red Hat Enterprise Linux 6, 7, and 8. The flaw is reachable locally with a low-privilege account and requires no victim interaction, though exploiting it depends on winning a timing race while post-create event handlers hold a write lock. Successful exploitation gives the attacker filesystem-level ownership of the dump directory while privileged scripts are still operating, enabling full read, write, and denial-of-service impact against its contents. HarborGuard is tracking the upstream advisory for patch availability, as no fix version has been published.

HarborGuard Coverage

Detection

Detection of CVE-2026-54229 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Red Hat's advisory stream, within minutes of publication and matched against customer images, including custom-built images derived from RHEL 6, 7, or 8 base layers.

Available
Triage

Triage is available using the CVSS v3.1 score of 7.0 (HIGH), weighted against each customer org's per-environment compliance policy, with findings routed to the appropriate team inbox based on configured ownership rules.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment Red Hat ships a corrected package. In the interim, compensating-control guidance (network-policy isolation of the abrt-dbus socket and egress filtering for affected workloads) is surfaced in the finding detail for each matched image.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; the vulnerable ChownProblemDir D-Bus method is accessible only to local users.

  • AuthenticationRequired

    A low-privilege local account is sufficient; no administrative or root credentials are needed to invoke the D-Bus method.

  • Victim interactionNot required

    No user interaction of any kind is required; the attacker triggers the race condition entirely through their own D-Bus calls.

  • Attack complexityDetail

    Exploitation depends on winning a timing race against post-create event handlers holding a write lock, introducing environmental factors that make reliable triggering non-trivial.

Blast Radius

  • Reads all files in the crash dump directory, including core dumps and environment data that may contain secrets or credentials from the crashed process.
  • Overwrites or replaces files in the dump directory while privileged post-create scripts are still executing against them, enabling content tampering.
  • Interferes with privileged event handler execution by manipulating dump directory contents mid-run, potentially causing those scripts to act on attacker-controlled data.
  • Denial of service against the crash reporting pipeline by corrupting dump directories, preventing legitimate crash data from being collected or analyzed.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-54229, the platform monitors the Red Hat advisory each ingest cycle and will automatically surface a patched-image rebuild the moment a corrected abrt package is published. For images currently matched as affected, the finding detail includes compensating-control guidance: isolating the abrt-dbus D-Bus socket via network or namespace policy, restricting which container users can reach the D-Bus interface, and considering disabling or removing the abrt-dbus service in container images where crash reporting is not a required function. For customers who opt into auto-remediation, a rebuilt image and regression-test run will be initiated automatically once a fix version is available upstream, with a PR opened against affected workloads where compliance policy permits.

See how HarborGuard automates this
Affected packages
  • Red Hat / Red Hat Enterprise Linux 6
  • Red Hat / Red Hat Enterprise Linux 7
  • Red Hat / Red Hat Enterprise Linux 8
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References