Bug 2445770 (CVE-2026-3836)

Summary: CVE-2026-3836 dnf5: dnf5: Denial of Service via path traversal in D-Bus locale configuration
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ppisar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in dnf5. A local, unprivileged attacker can exploit a path traversal vulnerability in the D-Bus locale configuration. By providing a specially crafted string to the locale key during session opening, the attacker can force the dnf5daemon-server to terminate, leading to an application-level Denial of Service (DoS) with a core dump.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2445771    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-09 14:41:23 UTC 
Unauthenticated Local Denial of Service (DoS) in

dnf5daemon-server

via path traversal in the D-Bus
locale

configuration. By passing an invalid or malicious string (e.g.,
../../../../../tmp/PWNED

) to the
locale

key during
 open_session

, an unprivileged user forces the underlying
libdnf5

library to throw a
libdnf5::SystemError

when
newlocale()

fails. Because
 ThreadsManager::set_thread_locale

does not catch this exception, it escapes the thread boundary, invoking
std::terminate()

and causing the root-privileged daemon to abort with a core dump.
Requirements to exploit:
The attacker requires a local, unprivileged user account on the target system and access to the System D-Bus. No special permissions or user interactions are required.
Comment 2 Petr Pisar 2026-03-10 09:28:23 UTC 
There is no path traversal. The exception happens when the passed string as a locale unknown to glibc.

There are two options how to fix it in the server code:

(1) Handle the exceptions by returning a D-Bus error,

(2) Handle the exceptions by not setting any locale.

Since typically setting a locale is an optional feature in applications, defaulting to C locale, and since having an invalid locale on client side would prevent users from performing any package operations, especially installing a desired glibc-langpack-* package, I'm for fixing this issue with the second option.