CVE-2026-54229 - Vulnerability Details

- Abrt: chownproblemdir succeeds during active post-create event processing due to inadequate locking

Description

A race condition was found in the abrt-dbus D-Bus service's ChownProblemDir method. ChownProblemDir opens the dump directory with DD_OPEN_READONLY and calls dd_chown to change ownership of all files to the caller's uid, succeeding even while post-create event handlers hold a write lock. This allows an attacker to gain filesystem-level control of the dump directory while privileged event scripts are still running.

Published: 2026-06-13

Score: 7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A race condition exists in the abrt-dbus D-Bus service’s ChownProblemDir method. The method opens the dump directory with a read‑only flag and then changes the ownership of every file in that directory to the caller’s UID. Because the operation succeeds even when event handlers still hold a write lock, an attacker can gain control of the dump directory while privileged event scripts are executing. This allows local users to modify or access files that should remain protected, enabling filesystem‑level privilege escalation.

Affected Systems

Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8 are affected by this flaw.

Risk and Exploitability

The CVSS score of 7 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, which suggests it has not yet been widely exploited in the wild. However, the attack requires local access to the affected systems. Once local access is obtained, the ability to claim ownership of the dump directory during active event processing presents a clear pathway for privilege escalation, especially on systems where ABRT is enabled and event scripts run with elevated privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Enterprise Linux 6	unknown	—
Red Hat	Red Hat Enterprise Linux 7	affected	—
Red Hat	Red Hat Enterprise Linux 8	affected	—

No data.

No data available yet.

Remediation

Vendor Workaround

The following practices would help for avoiding exposure and mitigate this flaw: - Disable or remove ABRT if it is not required. On RHEL 8 systems where ABRT is installed, it can be disabled with: systemctl disable --now abrtd.service abrt-journal-core.service abrt-oops.service abrt-xorg.service - On Fedora systems, consider using systemd-coredump instead of ABRT for crash handling - Restrict local user access to systems running ABRT, as this vulnerability requires local access

OpenCVE Recommended Actions

Disable ABRT services on RHEL systems (systemctl disable --now abrtd.service abrt-journal-core.service abrt-oops.service abrt-xorg.service)
Restrict local user access to systems running ABRT (e.g., limit usage to privileged users)
Consider using systemd-coredump instead of ABRT for crash handling where applicable

Generated by OpenCVE AI on June 13, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-54229
https://bugzilla.redhat.com/show_bug.cgi?id=2488532

History

Sat, 13 Jun 2026 02:45:00 +0000

Type	Values Removed	Values Added
Description		A race condition was found in the abrt-dbus D-Bus service's ChownProblemDir method. ChownProblemDir opens the dump directory with DD_OPEN_READONLY and calls dd_chown to change ownership of all files to the caller's uid, succeeding even while post-create event handlers hold a write lock. This allows an attacker to gain filesystem-level control of the dump directory while privileged event scripts are still running.
Title		Abrt: chownproblemdir succeeds during active post-create event processing due to inadequate locking
First Time appeared		Redhat Redhat enterprise Linux
Weaknesses		CWE-362
CPEs		cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2026-54229 https://bugzilla.redhat.com/show_bug.cgi?id=2488532
Metrics		cvssV3_1 `{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Redhat Enterprise Linux

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-13T02:34:31.110Z

Updated: 2026-06-13T02:34:31.110Z

Reserved: 2026-06-12T15:09:04.249Z

Link: CVE-2026-54229

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-13T03:16:21.587

Modified: 2026-06-13T03:16:21.587

Link: CVE-2026-54229

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-13T03:30:18Z

Weaknesses

CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object