Environment Variable Injection Flaw in CRI-O by Red Hat
CVE-2026-15809
7.8HIGH
What is CVE-2026-15809?
A significant vulnerability exists in CRI-O, stemming from an inadequate fix for a previous flaw. This issue permits an attacker who can influence container environment variables to inject newline characters into the HOME variable. Consequently, malicious actors could manipulate the /etc/passwd file by introducing arbitrary entries, posing a severe risk to system integrity and security. This vulnerability highlights the importance of robust validation procedures in container environments.
References
CVSS V3.1
Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Red Hat would like to thank Nebojša Jaćović for reporting this issue.