Description
A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport. Event scripts write output files using shell redirections without the O_NOFOLLOW flag. If the target file is replaced with a symlink, the shell process running as root follows the symlink and writes content to the symlink target, allowing arbitrary file overwrites on the system.
Published: 2026-06-13
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ABRT post‑create event handler scripts in libreport generate output files via shell redirections without the O_NOFOLLOW flag. If a user replaces a target file with a symlink, the root‑running shell follows the symlink and writes data to the link’s real destination, enabling an attacker to overwrite any file they can influence through a symlink. The flaw lies in improper handling of symlinks (CWE‑59).

Affected Systems

Red Hat Enterprise Linux 6, 7, and 8 are affected. The vulnerability resides in the ABRT component that runs as root on these distributions.

Risk and Exploitability

The CVSS score of 7 indicates a high severity, and although the EPSS score is not available, the lack of KEV listing suggests limited current exploitation. Attackers must have local access to a system that has ABRT installed and trigger event handlers that write files, typically by raising a crash event. If successful, they can overwrite arbitrary files, representing a severe integrity breach on a system with root privileges.

Generated by OpenCVE AI on June 13, 2026 at 03:50 UTC.

Remediation

Vendor Workaround

The following practices would help for avoiding exposure and mitigate this flaw: - Disable or remove ABRT if it is not required. On RHEL 8 systems where ABRT is installed, it can be disabled with: systemctl disable --now abrtd.service abrt-journal-core.service abrt-oops.service abrt-xorg.service - On Fedora systems, consider using systemd-coredump instead of ABRT for crash handling - Restrict local user access to systems running ABRT, as this vulnerability requires local access

OpenCVE Recommended Actions

  • Disable or uninstall ABRT by stopping and disabling abrtd.service, abrt-journal-core.service, abrt-oops.service, and abrt-xorg.service with systemctl
  • Restrict local user access to the system or protect the directories where ABRT writes files to prevent local privilege escalation
  • If the system requires crash handling, switch to an alternative such as systemd‑coredump on Fedora to avoid ABRT’s insecure behaviour

Generated by OpenCVE AI on June 13, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Description A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport. Event scripts write output files using shell redirections without the O_NOFOLLOW flag. If the target file is replaced with a symlink, the shell process running as root follows the symlink and writes content to the symlink target, allowing arbitrary file overwrites on the system.
Title Abrt: event handler scripts follow symlinks when writing output files, allowing arbitrary file overwrites
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-59
CPEs cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-13T02:34:35.969Z

Reserved: 2026-06-12T15:09:04.249Z

Link: CVE-2026-54230

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-13T03:16:21.733

Modified: 2026-06-13T03:16:21.733

Link: CVE-2026-54230

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T04:00:05Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')