CVE-2026-15809 PUBLISHED

Github.com/cri-o/cri-o: fix bypass for cve-2022-4318 — /etc/passwd injection via home env

Assigner: redhat
Reserved: 15.07.2026 Published: 15.07.2026 Updated: 15.07.2026

A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.8

Product Status

Vendor Red Hat
Product Confidential Compute Attestation
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: affected

Workarounds

Restrict access to users who can create or modify container workloads through appropriate RBAC permissions, apply security controls such as Security Context Constraints (SCCs) to limit privilege escalation, and enforce policies to run containers with reduced privileges (for example, as non-root) to reduce the impact of potential exploitation. Enable SELinux on affected nodes and consider admission controls to prevent potentially unsafe workload configurations.

Credits

  • Red Hat would like to thank Nebojša Jaćović for reporting this issue.

References