A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.

Project Subscriptions

Vendors Products
Confidential Compute Attestation Subscribe
Openshift Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

History

Wed, 15 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-116
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 15 Jul 2026 13:00:00 +0000

Type Values Removed Values Added
Title cri-o: Fix Bypass for CVE-2022-4318 — /etc/passwd Injection via HOME env Github.com/cri-o/cri-o: fix bypass for cve-2022-4318 — /etc/passwd injection via home env
First Time appeared Redhat
Redhat confidential Compute Attestation
Redhat openshift
CPEs cpe:/a:redhat:confidential_compute_attestation:1
cpe:/a:redhat:openshift:4
Vendors & Products Redhat
Redhat confidential Compute Attestation
Redhat openshift
References

Wed, 15 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
Title cri-o: Fix Bypass for CVE-2022-4318 — /etc/passwd Injection via HOME env
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-15T13:06:21.972Z

Reserved: 2026-07-15T09:57:48.452Z

Link: CVE-2026-15809

cve-icon Vulnrichment

Updated: 2026-07-15T13:06:18.426Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-15T10:18:17Z

Links: CVE-2026-15809 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses