Command-injection vulnerability in ABRT’s container data handling. The flaw is caused by ABRT extracting a 12-byte substring from user-controlled mount information and embedding it verbatim into a shell command constructed with g_strdup_printf("docker inspect %s", container_id). Because the input is not sanitized and is passed to a shell invocation, a crafted mountinfo value can inject shell metacharacters and arbitrary commands. This can be exploited locally by any user with access to ABRT’s UNIX socket to escalate to root and escape systemd sandboxing, enabling full system compromise.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:22760 https://access.redhat.com/errata/RHSA-2025:22760
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2025:23030 https://access.redhat.com/errata/RHSA-2025:23030
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2025:23031 https://access.redhat.com/errata/RHSA-2025:23031
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2025:23033 https://access.redhat.com/errata/RHSA-2025:23033
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:23032 https://access.redhat.com/errata/RHSA-2025:23032