CVE-2026-54228 PUBLISHED

Abrt: toctou race condition in abrt-dbus setelement allows arbitrary file writes to dump directories

Assigner: redhat
Reserved: 12.06.2026 Published: 13.06.2026 Updated: 13.06.2026

A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method. Between dump directory creation and post-create event execution, any local user can call SetElement to write arbitrary text files into the root-owned dump directory, bypassing package validation and allowing crashes of unpackaged binaries to survive post-create processing.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.8

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat Enterprise Linux 6
Versions	Default: unknown

Vendor	Red Hat
Product	Red Hat Enterprise Linux 7
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: affected

Workarounds

The following practices would help for avoiding exposure and mitigate this flaw:

Disable or remove ABRT if it is not required. On RHEL 8 systems where ABRT is installed, it can be disabled with: systemctl disable --now abrtd.service abrt-journal-core.service abrt-oops.service abrt-xorg.service
On Fedora systems, consider using systemd-coredump instead of ABRT for crash handling, as ABRT is being phased out in favor of systemd-coredump
Restrict local user access to systems running ABRT, as this vulnerability requires local access

Credits

Red Hat would like to thank Red Team (Deutsche Telekom Security GmbH) for reporting this issue.

References

Problem Types

Time-of-check Time-of-use (TOCTOU) Race Condition CWE