2488532 – (CVE-2026-54229) CVE-2026-54229 abrt: ChownProblemDir succeeds during active post-create event processing due to inadequate locking

Bug 2488532 (CVE-2026-54229) - CVE-2026-54229 abrt: ChownProblemDir succeeds during active post-create event processing due to inadequate locking

Summary: CVE-2026-54229 abrt: ChownProblemDir succeeds during active post-create event...

Keywords:
Status:	NEW
Alias:	CVE-2026-54229
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2488617
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-12 20:58 UTC by OSIDB Bzimport
Modified:	2026-06-12 22:29 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-12 20:58:13 UTC

A race condition was found in the abrt-dbus D-Bus service's ChownProblemDir method. ChownProblemDir opens the dump directory with DD_OPEN_READONLY (which does not require a write lock) and calls dd_chown to change ownership of all files to the caller's uid. This succeeds even while post-create event handlers hold a write lock on the dump directory, because the read-only open does not conflict with the write lock. After ChownProblemDir, the attacker gains direct filesystem-level access to the dump directory (can delete files, create symlinks, etc.) while the already-running event shell process continues executing with root privileges in the abrt_handle_event_t SELinux domain.

Note You need to log in before you can comment on or make changes to this bug.