<Vulnerability name="CVE-2026-15809">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-15T10:18:17</PublicDate>
    <Bugzilla id="2500846" url="https://bugzilla.redhat.com/show_bug.cgi?id=2500846" xml:lang="en:us">
github.com/cri-o/cri-o: Fix Bypass for CVE-2022-4318 — /etc/passwd Injection via HOME env
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.8</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-134</CWE>
    <Details xml:lang="en:us" source="Mitre">
A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
    </Details>
    <Statement xml:lang="en:us">
This Important flaw in CRI-O allows for arbitrary line injection into a container's `/etc/passwd` file. An attacker capable of setting container environment variables can bypass a previous fix (CVE-2022-4318) by supplying a real newline character in the `HOME` environment variable, potentially leading to privilege escalation within the affected container. This risk is present in environments where untrusted users can influence container environment variable settings.
    </Statement>
    <Acknowledgement xml:lang="en:us">
Red Hat would like to thank Nebojša Jaćović (Independent Security Researcher) for reporting this issue.
    </Acknowledgement>
    <Mitigation xml:lang="en:us">
Restrict access to users who can create or modify container workloads through appropriate RBAC permissions, apply security controls such as Security Context Constraints (SCCs) to limit privilege escalation, and enforce policies to run containers with reduced privileges (for example, as non-root) to reduce the impact of potential exploitation. Enable SELinux on affected nodes and consider admission controls to prevent potentially unsafe workload configurations.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:confidential_compute_attestation:1">
        <ProductName>Confidential Compute Attestation</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift-sandboxed-containers/osc-monitor-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Affected</FixState>
        <PackageName>cri-o</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift4/cnf-tests-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift4/ztp-site-generate-rhel8</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-15809
https://nvd.nist.gov/vuln/detail/CVE-2026-15809
https://github.com/cri-o/cri-o/pull/6450
https://github.com/cri-o/cri-o/pull/6524
    </References>
</Vulnerability>