ABRT/libreport Security Advisory — Four TOCTOU and race condition vulnerabilities have been disclosed in ABRT (Automatic Bug Reporting Tool) and libreport, the crash reporting infrastructure used by Red Hat Enterprise Linux, Fedora, and their derivatives. These vulnerabilities (CVE-2026-54228 through CVE-2026-54231) enable local privilege escalation through symlink following, TOCTOU race conditions, and content injection attacks against the crash reporting pipeline. All multi-user Linux systems running ABRT/libreport should apply distribution updates immediately.

---

Background

ABRT (Automatic Bug Reporting Tool) and its supporting library libreport form the standard crash reporting infrastructure on Red Hat Enterprise Linux, Fedora, CentOS Stream, and derivative distributions. When an application crashes, ABRT captures the core dump, collects system metadata, and invokes libreport to process the crash data — creating problem directories, running event scripts, and optionally submitting reports to distribution bug trackers. This crash handling pipeline runs with elevated privileges and interacts with user-owned files and directories, creating a broad attack surface for local privilege escalation.

In June 2026, a set of four security vulnerabilities was disclosed affecting ABRT and libreport across all supported RHEL and Fedora releases. All four vulnerabilities are exploitable by local, unprivileged users and can lead to privilege escalation to root, arbitrary file ownership changes, and unauthorized content injection into privileged workflows. The attack vectors center on TOCTOU (Time-of-Check Time-of-Use) race conditions and symlink following during privileged crash-handling operations.

---

CVE Summaries

CVE-2026-54228 — TOCTOU in SetElement (CVSS 7.8, HIGH)

The most severe of the four vulnerabilities, CVE-2026-54228 resides in the SetElement function within libreport’s problem data manipulation routines. The function performs a check on a file path and then later uses that path in a privileged operation, but a local attacker can replace the file with a symbolic link in the narrow window between the check and the use. Successful exploitation allows an unprivileged user to trick ABRT/libreport into writing to arbitrary files on the filesystem with elevated privileges, leading to full local privilege escalation.

Attack vector: Local, unprivileged user
Impact: Privilege escalation to root, arbitrary file write
CVSS Score: 7.8 (HIGH)

CVE-2026-54229 — Race Condition in ChownProblemDir (CVSS 7.0, HIGH)

CVE-2026-54229 affects the ChownProblemDir function, which is responsible for changing ownership of problem directories created during crash processing. A race condition exists where an attacker can replace a directory component with a symbolic link between the time the ownership change is validated and when it is actually executed via chown(). This enables an unprivileged local user to change the ownership of arbitrary files or directories to the ABRT daemon user, which can be leveraged as a step toward full privilege escalation or used to gain read access to otherwise inaccessible files.

Attack vector: Local, unprivileged user
Impact: Unauthorized file ownership changes, stepping stone to privilege escalation
CVSS Score: 7.0 (HIGH)

CVE-2026-54230 — Symlink Following in Event Scripts (CVSS 7.0, HIGH)

CVE-2026-54230 exists in the event script execution pipeline of libreport. When ABRT processes a crash event, it invokes configured event scripts that operate on files within the problem directory. A local attacker who controls files inside a crash directory can place symbolic links that are followed by privileged event scripts, causing them to read from or write to arbitrary filesystem locations. Because event scripts run with elevated privileges, this symlink-following behavior can be exploited to overwrite system binaries, configuration files, or to exfiltrate sensitive data.

Attack vector: Local, unprivileged user
Impact: Arbitrary file read/write via event scripts, privilege escalation
CVSS Score: 7.0 (HIGH)

CVE-2026-54231 — Content Injection via Event Handler (CVSS 5.5, MEDIUM)

CVE-2026-54231 involves content injection through ABRT’s event handler mechanism. An attacker who can influence the content of a crash report — for example, by triggering a crash in a crafted application that embeds specially formatted data in its process state — can inject content that is misinterpreted by downstream event handlers. While this vulnerability does not directly grant code execution, it can be used to manipulate crash metadata, inject misleading information into problem reports, or bypass security controls that rely on crash data integrity. In combination with other vulnerabilities, it may assist in constructing more sophisticated attack chains.

Attack vector: Local, unprivileged user
Impact: Crash report manipulation, metadata injection, security control bypass
CVSS Score: 5.5 (MEDIUM)

---

Affected Systems

These vulnerabilities affect all distributions shipping ABRT and libreport, including:

• Red Hat Enterprise Linux (RHEL) — All supported versions (RHEL 8 and RHEL 9) ship ABRT and libreport as part of the base system and are affected.
• Fedora Linux — All supported Fedora releases include ABRT/libreport with default desktop installations.
• CentOS Stream — Shares the RHEL package base and is equally affected.
• RHEL derivatives — AlmaLinux, Rocky Linux, Oracle Linux, and other RHEL-compatible distributions that ship ABRT/libreport are affected.

Note: Single-user desktop systems are at lower immediate risk since exploitation requires a local attacker account, but should still be patched. The highest risk is on multi-user systems (shared workstations, HPC login nodes, university computing labs) and CI/CD environments where less-trusted users or processes share systems with ABRT-enabled installations.

---

Consolidated Fix

Red Hat and the Fedora Project have released coordinated security updates addressing all four CVEs. The fixes include:

1. Path resolution hardening — The SetElement and ChownProblemDir functions now use openat()-style directory-relative operations and O_NOFOLLOW flags to prevent symlink-based TOCTOU attacks.
2. Symlink-safe event script execution — Event scripts now resolve paths within problem directories using secure, non-traversable file descriptors before performing filesystem operations.
3. Input sanitization — The event handler pipeline now validates and sanitizes crash metadata before passing it to downstream handlers, closing the content injection vector.

Apply updates immediately using your distribution’s package manager:

• RHEL / CentOS Stream: dnf update abrt libreport
• Fedora: dnf update abrt libreport
• AlmaLinux / Rocky / Oracle Linux: dnf update abrt libreport

After updating, restart the ABRT daemon: systemctl restart abrtd

---

Recommendations

1. Patch multi-user systems immediately. Any system where multiple users have shell access — shared workstations, HPC login nodes, university computer labs, development servers — faces elevated risk from local privilege escalation attacks. Prioritize these systems for patching.
2. Audit CI/CD runners. CI/CD build environments running on RHEL or Fedora that have ABRT installed should be patched as a priority. A compromised CI runner with ABRT vulnerabilities could serve as a persistence mechanism or a pivot point for supply chain attacks if a less-trusted process exploits these CVEs to escalate privileges inside the build environment.
3. Consider disabling ABRT on single-purpose systems. On servers, containers, and CI runners that do not require interactive crash reporting, consider removing or disabling ABRT entirely to reduce attack surface: systemctl disable --now abrtd and dnf remove abrt libreport if the packages are not required dependencies.
4. Verify using the exploit check script. Red Hat has published a detection script that tests for TOCTOU and symlink vulnerabilities in the local ABRT/libreport installation. Run this script after patching to confirm the fixes are in place. Refer to the Red Hat knowledgebase article linked in references.
5. Monitor for unusual crash activity. Exploitation attempts may generate anomalous crash reports or ABRT log entries. Monitor /var/log/abrt.log and ABRT problem directories for unexpected crash reports, particularly from processes that do not normally crash or from users who do not typically generate crash data.
6. Harden filesystem mounts. Where feasible, mount /tmp, /var/tmp, and user-writable directories with the nosuid and noexec options. While these measures do not prevent the vulnerabilities themselves, they can limit post-exploitation techniques that an attacker might chain with these CVEs.

---

References

• Red Hat Security Updates — CVE-2026-54228 through CVE-2026-54231
• ABRT GitHub Repository
• libreport GitHub Repository
• NIST NVD — Search for individual CVE IDs (CVE-2026-54228 through CVE-2026-54231)

---

Disclaimer: This information is provided for educational and defensive purposes only. Always verify details against official Red Hat and Fedora security announcements before taking action. Apply patches in a test environment first where possible. Threat intelligence moves quickly — confirm the latest patch status through official distribution channels.