CRI-O Home Environment Variable Injection Vulnerability Allowing Arbitrary Line Addition to /etc/passwd

Vulnerability

A vulnerability exists in CRI-O due to an incorrect fix for a previous issue (CVE-2022-4318), allowing the vulnerability to be bypassed. An attacker who can set environment variables in a container can inject a newline character into the HOME variable. This injection enables the addition of arbitrary lines to the /etc/passwd file by using a specially crafted environment variable. The vulnerability is present in CRI-O versions prior to 1.26.0.

Impact

Exploitation of this vulnerability allows for arbitrary line injection into the /etc/passwd file of the affected container. This could lead to privilege escalation within the container.

Reproduction

To reproduce this vulnerability, set a newline-injected HOME environment variable on a container. The injected newline will bypass the incorrect validation implemented in response to CVE-2022-4318, allowing unsanitized data to be processed and injected into the /etc/passwd file.

Remediation

Users can upgrade to CRI-O versions 1.26.0 or later, where this vulnerability has been fixed.

Added: Jul 15, 2026, 1:23 PM
Updated: Jul 15, 2026, 1:23 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.7
exploitability
4.6
remediation
0.0
relevance
9.8
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.