2488571 – (CVE-2026-54231) CVE-2026-54231 abrt: unsanitized systemd journal content written to dump directory files enables content injection

Bug 2488571 (CVE-2026-54231) - CVE-2026-54231 abrt: unsanitized systemd journal content written to dump directory files enables content injection

Summary: CVE-2026-54231 abrt: unsanitized systemd journal content written to dump dire...

Keywords:
Status:	NEW
Alias:	CVE-2026-54231
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2488618
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-12 21:14 UTC by OSIDB Bzimport
Modified:	2026-06-12 22:30 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-12 21:14:51 UTC

A content injection vulnerability was found in the ABRT post-create event handler scripts. The event script queries the systemd journal for log entries matching the crashed process using journalctl with _COMM and _UID filters, and writes the results to files in the dump directory (e.g., var_log_messages). Any local user can pre-populate the systemd journal with entries whose _COMM matches common process names (e.g., "sleep") by using prctl(PR_SET_NAME) and syslog(). By embedding newline characters (\n) in syslog messages, the attacker can inject arbitrary content that appears on its own line in the journalctl output. While the event script filters out audit lines, it does not sanitize syslog entries for embedded control characters or validate the content before writing it to dump directory files. This allows an attacker to control the content that root writes to files in the dump directory.

Note You need to log in before you can comment on or make changes to this bug.