CVE-2026-54230 PUBLISHED

Abrt: event handler scripts follow symlinks when writing output files, allowing arbitrary file overwrites

Assigner: redhat
Reserved: 12.06.2026 Published: 13.06.2026 Updated: 13.06.2026

A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport. Event scripts write output files using shell redirections without the O_NOFOLLOW flag. If the target file is replaced with a symlink, the shell process running as root follows the symlink and writes content to the symlink target, allowing arbitrary file overwrites on the system.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat Enterprise Linux 6
Versions	Default: unknown

Vendor	Red Hat
Product	Red Hat Enterprise Linux 7
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: affected

Workarounds

The following practices would help for avoiding exposure and mitigate this flaw:

Disable or remove ABRT if it is not required. On RHEL 8 systems where ABRT is installed, it can be disabled with: systemctl disable --now abrtd.service abrt-journal-core.service abrt-oops.service abrt-xorg.service
On Fedora systems, consider using systemd-coredump instead of ABRT for crash handling
Restrict local user access to systems running ABRT, as this vulnerability requires local access

Credits

Red Hat would like to thank Red Team (Deutsche Telekom Security GmbH) for reporting this issue.

References

Problem Types

Improper Link Resolution Before File Access ('Link Following') CWE