Description
A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
Published: 2026-07-15
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

Vendor Workaround

Restrict access to users who can create or modify container workloads through appropriate RBAC permissions, apply security controls such as Security Context Constraints (SCCs) to limit privilege escalation, and enforce policies to run containers with reduced privileges (for example, as non-root) to reduce the impact of potential exploitation. Enable SELinux on affected nodes and consider admission controls to prevent potentially unsafe workload configurations.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-116
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 15 Jul 2026 13:00:00 +0000

Type Values Removed Values Added
Title cri-o: Fix Bypass for CVE-2022-4318 — /etc/passwd Injection via HOME env Github.com/cri-o/cri-o: fix bypass for cve-2022-4318 — /etc/passwd injection via home env
First Time appeared Redhat
Redhat confidential Compute Attestation
Redhat openshift
CPEs cpe:/a:redhat:confidential_compute_attestation:1
cpe:/a:redhat:openshift:4
Vendors & Products Redhat
Redhat confidential Compute Attestation
Redhat openshift
References

Wed, 15 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
Title cri-o: Fix Bypass for CVE-2022-4318 — /etc/passwd Injection via HOME env
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Subscriptions

Redhat Confidential Compute Attestation Openshift
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-15T13:52:03.349Z

Reserved: 2026-07-15T09:57:48.452Z

Link: CVE-2026-15809

cve-icon Vulnrichment

Updated: 2026-07-15T13:06:18.426Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-15T10:18:17Z

Links: CVE-2026-15809 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output