CVE-2026-54231 - Vulnerability Details

- Abrt: unsanitized systemd journal content written to dump directory files enables content injection

Description

A content injection vulnerability was found in the ABRT post-create event handler scripts in libreport. The event script queries the systemd journal for log entries matching the crashed process and writes the results to files in the dump directory without sanitizing embedded control characters. A local user can inject arbitrary content into the journal output by embedding newline characters in syslog messages, controlling the content that root writes to dump directory files.

Published: 2026-06-13

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A content injection flaw was found in the ABRT post-create event handler scripts in libreport. The event script reads systemd journal entries that match a crashed process and writes the results to files in the dump directory without sanitizing embedded control characters. It corresponds to CWE-74 and allows a local user, by embedding newline characters in syslog messages, to inject arbitrary content into the journal output. This gives the attacker control over the data root writes to dump directory files, potentially enabling the insertion of malicious payloads or code that may later be processed when the dump files are accessed.

Affected Systems

Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8 are impacted. The vulnerability exists in the ABRT component of these distributions; no more granular version details are provided, so any RHEL 6, 7, or 8 system with ABRT installed is at risk.

Risk and Exploitability

The CVSS base score is 5.5, indicating moderate severity, and the EPSS score is not available while the vulnerability is not listed in the CISA KEV catalog. The attack vector is local only, requiring a user to write to the systemd journal and embed newline characters. Given the moderate score and local nature, the overall risk is moderate, but the ability to inject arbitrary content into root-owned dump files could assist a local attacker in further compromising the system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Enterprise Linux 6	unknown	—
Red Hat	Red Hat Enterprise Linux 7	affected	—
Red Hat	Red Hat Enterprise Linux 8	affected	—

No data.

No data available yet.

Remediation

Vendor Workaround

The following practices would help for avoiding exposure and mitigate this flaw: - Disable or remove ABRT if it is not required. On RHEL 8 systems where ABRT is installed, it can be disabled with: systemctl disable --now abrtd.service abrt-journal-core.service abrt-oops.service abrt-xorg.service - On Fedora systems, consider using systemd-coredump instead of ABRT for crash handling - Restrict local user access to systems running ABRT, as this vulnerability requires local access

OpenCVE Recommended Actions

Disable ABRT services if not required, e.g., run "systemctl disable --now abrtd.service abrt-journal-core.service abrt-oops.service abrt-xorg.service".
Restrict local user access to systems running ABRT, since this vulnerability requires local access.
If crash handling is required, consider switching to systemd-coredump or another tool instead of ABRT.

Generated by OpenCVE AI on June 13, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-54231
https://bugzilla.redhat.com/show_bug.cgi?id=2488571

History

Sat, 13 Jun 2026 02:45:00 +0000

Type	Values Removed	Values Added
Description		A content injection vulnerability was found in the ABRT post-create event handler scripts in libreport. The event script queries the systemd journal for log entries matching the crashed process and writes the results to files in the dump directory without sanitizing embedded control characters. A local user can inject arbitrary content into the journal output by embedding newline characters in syslog messages, controlling the content that root writes to dump directory files.
Title		Abrt: unsanitized systemd journal content written to dump directory files enables content injection
First Time appeared		Redhat Redhat enterprise Linux
Weaknesses		CWE-74
CPEs		cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2026-54231 https://bugzilla.redhat.com/show_bug.cgi?id=2488571
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Redhat Enterprise Linux

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-13T02:34:37.428Z

Updated: 2026-06-13T02:34:37.428Z

Reserved: 2026-06-12T15:09:04.249Z

Link: CVE-2026-54231

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-13T03:16:21.877

Modified: 2026-06-13T03:16:21.877

Link: CVE-2026-54231

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-13T03:30:18Z

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object