CVE-2026-54228 HIGH

CVE-2026-54228: Abrt: toctou race condition in abrt-dbus setelement allows arbitrary file writes to dump directories

Vendor Red Hat
Product Red Hat Enterprise Linux 6
Weakness CWE-367
Published June 13, 2026
Last update June 30, 2026

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method. Between dump directory creation and post-create event execution, any local user can call SetElement to write arbitrary text files into the root-owned dump directory, bypassing package validation and allowing crashes of unpackaged binaries to survive post-create processing.

Key dates

02Disclosure timeline

June 13, 2026 CVE published
June 30, 2026 Record updated