{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3aredhatopenshift_container_platform_for_linuxone4.12/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:kubernetes:cri-o:-:*:*:*:*:*:*:*","cpe:2.3:a:redhat:openshift_container_platform_for_arm64:4.12:*:*:*:*:*:*:*","cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.12:*:*:*:*:*:*:*","cpe:2.3:a:redhat:openshift_container_platform_for_power:4.12:*:*:*:*:*:*:*","cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.12:*:*:*:*:*:*:*","cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe:2.3:a:redhat:openshift_container_platform_for_arm64:4.11:*:*:*:*:*:*:*","cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.11:*:*:*:*:*:*:*","cpe:2.3:a:redhat:openshift_container_platform_for_power:4.11:*:*:*:*:*:*:*","cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.11:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-15809"},{"cvss":7.8,"id":"CVE-2022-4318"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CRI-O","Red Hat OpenShift Container Platform 4","Red Hat Confidential Compute Attestation"],"_cs_severities":["high"],"_cs_tags":["container","linux","vulnerability","privilege-escalation","persistence","cri-o"],"_cs_type":"advisory","_cs_vendors":["Red Hat, Inc."],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-15809, has been discovered in CRI-O, a container runtime interface for Kubernetes. This flaw represents an incomplete fix for a prior vulnerability, CVE-2022-4318. The issue allows an attacker who can set environment variables within a container to inject a newline character into the \u003ccode\u003eHOME\u003c/code\u003e environment variable. This maliciously crafted input is then processed by CRI-O in such a way that arbitrary lines can be added to the \u003ccode\u003e/etc/passwd\u003c/code\u003e file. Successful exploitation could lead to the creation of new user accounts or modification of existing ones, granting an attacker unintended privileges or establishing persistence within the affected container environment. This poses a significant risk to Kubernetes clusters utilizing vulnerable versions of CRI-O.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to execute code within a container, with privileges sufficient to set environment variables for subsequent processes. This could be through another vulnerability, misconfiguration, or compromised legitimate credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eHOME\u003c/code\u003e environment variable string. This string includes a newline character and specially formatted data intended to add or modify entries in the \u003ccode\u003e/etc/passwd\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe vulnerable CRI-O container runtime processes the crafted \u003ccode\u003eHOME\u003c/code\u003e environment variable when a new process or container is launched with the attacker-controlled environment.\u003c/li\u003e\n\u003cli\u003eDue to the incomplete fix for CVE-2022-4318, CRI-O fails to properly sanitize the \u003ccode\u003eHOME\u003c/code\u003e environment variable, allowing the injected newline character to be interpreted.\u003c/li\u003e\n\u003cli\u003eThis misinterpretation results in the arbitrary injection of the attacker-controlled lines into the \u003ccode\u003e/etc/passwd\u003c/code\u003e file, located either within the container or potentially on the host if privileges allow.\u003c/li\u003e\n\u003cli\u003eThe injected lines create new user accounts, modify existing user's UIDs/GIDs, or establish other forms of account manipulation, effectively granting the attacker elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified \u003ccode\u003e/etc/passwd\u003c/code\u003e file to gain privilege escalation (e.g., obtaining root access) or establish persistence within the compromised container or host system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-15809 allows an attacker to achieve privilege escalation and persistence within a compromised container environment. By injecting arbitrary lines into the \u003ccode\u003e/etc/passwd\u003c/code\u003e file, an attacker can create new privileged accounts or alter existing ones, effectively gaining control over the container. In some configurations, this could potentially lead to a container escape, granting access to the underlying host system. While specific victim numbers are not provided, any organization running affected versions of CRI-O in containerized environments, especially Kubernetes, is at risk of unauthorized access and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-15809 immediately by updating CRI-O to a patched version as recommended by Red Hat.\u003c/li\u003e\n\u003cli\u003eEnable detailed file system auditing on Linux systems to detect suspicious modifications to critical system files like \u003ccode\u003e/etc/passwd\u003c/code\u003e as detected by the \u003ccode\u003eDetect Linux /etc/passwd File Modification\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor container environments for unusual process execution or attempts to modify sensitive system files within containers.\u003c/li\u003e\n\u003cli\u003eImplement integrity monitoring for \u003ccode\u003e/etc/passwd\u003c/code\u003e and other critical system configuration files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T13:19:03Z","date_published":"2026-07-15T13:19:03Z","id":"https://feed.craftedsignal.io/briefs/2026-07-crio-env-var-injection/","summary":"A critical vulnerability, CVE-2026-15809, in CRI-O allows an attacker with the ability to set container environment variables to bypass a previous fix (CVE-2022-4318), inject a newline character into the HOME environment variable, and add arbitrary lines to /etc/passwd, potentially leading to privilege escalation or persistence within the container.","title":"CRI-O Environment Variable Injection Vulnerability (CVE-2026-15809)","url":"https://feed.craftedsignal.io/briefs/2026-07-crio-env-var-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.12:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}