CVE-2026-4897 — Allocation of Resources Without Limits or Throttling in Policykit-1

CWE-770 — Allocation of Resources Without Limits or Throttling7 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 97.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Policykit-1

Timeline

PublishedMar 26

Latest updateApr 14

Description

A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages1 packages

▶debiandebian/policykit-1

🔴Vulnerability Details

OSV

CVE-2026-4897: A flaw was found in polkit↗2026-03-26

▶

GHSA

GHSA-v4jf-wwp4-588q: A flaw was found in polkit↗2026-03-26

▶

📋Vendor Advisories

Ubuntu

polkit vulnerabilities↗2026-04-14

▶

Red Hat

polkit: Polkit: Denial of Service via unbounded input processing through standard input↗2026-03-26

▶

Debian

CVE-2026-4897: policykit-1 - A flaw was found in polkit. A local user can exploit this by providing a special...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-4897 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶