Bug 2488571 (CVE-2026-54231)

Summary: CVE-2026-54231 abrt: unsanitized systemd journal content written to dump directory files enables content injection
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A content injection vulnerability was found in the ABRT post-create event handler scripts in libreport. The event script queries the systemd journal for log entries matching the crashed process and writes the results to files in the dump directory without sanitizing embedded control characters. A local user can inject arbitrary content into the journal output by embedding newline characters in syslog messages, controlling the content that root writes to dump directory files.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2488618    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-12 21:14:51 UTC
A content injection vulnerability was found in the ABRT post-create event handler scripts. The event script queries the systemd journal for log entries matching the crashed process using journalctl with _COMM and _UID filters, and writes the results to files in the dump directory (e.g., var_log_messages). Any local user can pre-populate the systemd journal with entries whose _COMM matches common process names (e.g., "sleep") by using prctl(PR_SET_NAME) and syslog(). By embedding newline characters (\n) in syslog messages, the attacker can inject arbitrary content that appears on its own line in the journalctl output. While the event script filters out audit lines, it does not sanitize syslog entries for embedded control characters or validate the content before writing it to dump directory files. This allows an attacker to control the content that root writes to files in the dump directory.