CVE-2026-54229 PUBLISHED

Abrt: chownproblemdir succeeds during active post-create event processing due to inadequate locking

Assigner: redhat
Reserved: 12.06.2026 Published: 13.06.2026 Updated: 13.06.2026

A race condition was found in the abrt-dbus D-Bus service's ChownProblemDir method. ChownProblemDir opens the dump directory with DD_OPEN_READONLY and calls dd_chown to change ownership of all files to the caller's uid, succeeding even while post-create event handlers hold a write lock. This allows an attacker to gain filesystem-level control of the dump directory while privileged event scripts are still running.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat Enterprise Linux 6
Versions	Default: unknown

Vendor	Red Hat
Product	Red Hat Enterprise Linux 7
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: affected

Workarounds

The following practices would help for avoiding exposure and mitigate this flaw:

Disable or remove ABRT if it is not required. On RHEL 8 systems where ABRT is installed, it can be disabled with: systemctl disable --now abrtd.service abrt-journal-core.service abrt-oops.service abrt-xorg.service
On Fedora systems, consider using systemd-coredump instead of ABRT for crash handling
Restrict local user access to systems running ABRT, as this vulnerability requires local access

Credits

Red Hat would like to thank Red Team (Deutsche Telekom Security GmbH) for reporting this issue.

References

Problem Types

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE