CVE-2026-15809 (GCVE-0-2026-15809)
Vulnerability from cvelistv5 – Published: 2026-07-15 12:32 – Updated: 2026-07-16 05:41
VLAI
EPSS
VEX
Title
Github.com/cri-o/cri-o: fix bypass for cve-2022-4318 — /etc/passwd injection via home env
Summary
A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-15809 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2500846 | issue-trackingx_refsource_REDHAT |
| https://github.com/cri-o/cri-o/pull/6450 | |
| https://github.com/cri-o/cri-o/pull/6524 |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Confidential Compute Attestation |
cpe:/a:redhat:confidential_compute_attestation:1 |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
Date Public
2026-07-15 10:18
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15809",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:06:08.620102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T13:06:21.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:confidential_compute_attestation:1"
],
"defaultStatus": "affected",
"packageName": "openshift-sandboxed-containers/osc-monitor-rhel9",
"product": "Confidential Compute Attestation",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "cri-o",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift4/cnf-tests-rhel8",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift4/ztp-site-generate-rhel8",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Neboj\u0161a Ja\u0107ovi\u0107 for reporting this issue."
}
],
"datePublic": "2026-07-15T10:18:17.941Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "Use of Externally-Controlled Format String",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T05:41:01.884Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-15809"
},
{
"name": "RHBZ#2500846",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2500846"
},
{
"url": "https://github.com/cri-o/cri-o/pull/6450"
},
{
"url": "https://github.com/cri-o/cri-o/pull/6524"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-15T09:58:08.982Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-07-15T10:18:17.941Z",
"value": "Made public."
}
],
"title": "Github.com/cri-o/cri-o: fix bypass for cve-2022-4318 \u2014 /etc/passwd injection via home env",
"workarounds": [
{
"lang": "en",
"value": "Restrict access to users who can create or modify container workloads through appropriate RBAC permissions, apply security controls such as Security Context Constraints (SCCs) to limit privilege escalation, and enforce policies to run containers with reduced privileges (for example, as non-root) to reduce the impact of potential exploitation. Enable SELinux on affected nodes and consider admission controls to prevent potentially unsafe workload configurations."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-134: Use of Externally-Controlled Format String"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-15809",
"datePublished": "2026-07-15T12:32:42.587Z",
"dateReserved": "2026-07-15T09:57:48.452Z",
"dateUpdated": "2026-07-16T05:41:01.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-15809",
"date": "2026-07-16",
"epss": "0.00126",
"percentile": "0.02638"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-15809\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2026-07-15T13:17:03.933\",\"lastModified\":\"2026-07-16T07:16:47.750\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.\"}],\"affected\":[{\"source\":\"secalert@redhat.com\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Confidential Compute Attestation\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift-sandboxed-containers/osc-monitor-rhel9\",\"cpes\":[\"cpe:/a:redhat:confidential_compute_attestation:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"cri-o\",\"cpes\":[\"cpe:/a:redhat:openshift:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift4/cnf-tests-rhel8\",\"cpes\":[\"cpe:/a:redhat:openshift:4\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat OpenShift Container Platform 4\",\"defaultStatus\":\"affected\",\"collectionURL\":\"https://access.redhat.com/downloads/content/package-browser/\",\"packageName\":\"openshift4/ztp-site-generate-rhel8\",\"cpes\":[\"cpe:/a:redhat:openshift:4\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-15T13:06:08.620102Z\",\"id\":\"CVE-2026-15809\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-134\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-116\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-15809\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2500846\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/cri-o/cri-o/pull/6450\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/cri-o/cri-o/pull/6524\",\"source\":\"secalert@redhat.com\"}]}}",
"redhat_vex": {
"aggregate_severity": "Important",
"current_release_date": "2026-07-16T05:40:56+00:00",
"cve": "CVE-2026-15809",
"id": "CVE-2026-15809",
"initial_release_date": "2026-07-15T10:18:17.941000+00:00",
"product_status:known_affected": "5",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "github.com/cri-o/cri-o: Fix Bypass for CVE-2022-4318 \u2014 /etc/passwd Injection via HOME env",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-15809.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-15809\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-15T13:06:08.620102Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-116\", \"description\": \"CWE-116 Improper Encoding or Escaping of Output\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-15T13:06:18.426Z\"}}], \"cna\": {\"title\": \"Github.com/cri-o/cri-o: fix bypass for cve-2022-4318 \\u2014 /etc/passwd injection via home env\", \"credits\": [{\"lang\": \"en\", \"value\": \"Red Hat would like to thank Neboj\\u0161a Ja\\u0107ovi\\u0107 for reporting this issue.\"}], \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:confidential_compute_attestation:1\"], \"vendor\": \"Red Hat\", \"product\": \"Confidential Compute Attestation\", \"packageName\": \"openshift-sandboxed-containers/osc-monitor-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"cri-o\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift4/cnf-tests-rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift4/ztp-site-generate-rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-07-15T09:58:08.982Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-07-15T10:18:17.941Z\", \"value\": \"Made public.\"}], \"datePublic\": \"2026-07-15T10:18:17.941Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2026-15809\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2500846\", \"name\": \"RHBZ#2500846\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://github.com/cri-o/cri-o/pull/6450\"}, {\"url\": \"https://github.com/cri-o/cri-o/pull/6524\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Restrict access to users who can create or modify container workloads through appropriate RBAC permissions, apply security controls such as Security Context Constraints (SCCs) to limit privilege escalation, and enforce policies to run containers with reduced privileges (for example, as non-root) to reduce the impact of potential exploitation. Enable SELinux on affected nodes and consider admission controls to prevent potentially unsafe workload configurations.\"}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-134\", \"description\": \"Use of Externally-Controlled Format String\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2026-07-16T05:41:01.884Z\"}, \"x_redhatCweChain\": \"CWE-134: Use of Externally-Controlled Format String\"}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-15809\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-16T05:41:01.884Z\", \"dateReserved\": \"2026-07-15T09:57:48.452Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2026-07-15T12:32:42.587Z\", \"assignerShortName\": \"redhat\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…