A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.

Project Subscriptions

Vendors Products
Confidential Compute Attestation Subscribe
Openshift Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

Restrict access to users who can create or modify container workloads through appropriate RBAC permissions, apply security controls such as Security Context Constraints (SCCs) to limit privilege escalation, and enforce policies to run containers with reduced privileges (for example, as non-root) to reduce the impact of potential exploitation. Enable SELinux on affected nodes and consider admission controls to prevent potentially unsafe workload configurations.

History

Wed, 15 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-116
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 15 Jul 2026 13:00:00 +0000

Type Values Removed Values Added
Title cri-o: Fix Bypass for CVE-2022-4318 — /etc/passwd Injection via HOME env Github.com/cri-o/cri-o: fix bypass for cve-2022-4318 — /etc/passwd injection via home env
First Time appeared Redhat
Redhat confidential Compute Attestation
Redhat openshift
CPEs cpe:/a:redhat:confidential_compute_attestation:1
cpe:/a:redhat:openshift:4
Vendors & Products Redhat
Redhat confidential Compute Attestation
Redhat openshift
References

Wed, 15 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in CRI-O. The fix for a previous vulnerability (CVE-2022-4318) was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
Title cri-o: Fix Bypass for CVE-2022-4318 — /etc/passwd Injection via HOME env
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-15T13:52:03.349Z

Reserved: 2026-07-15T09:57:48.452Z

Link: CVE-2026-15809

cve-icon Vulnrichment

Updated: 2026-07-15T13:06:18.426Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-15T10:18:17Z

Links: CVE-2026-15809 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses