Debian Systemd vulnerabilities

CVE-2026-4105 [MEDIUM] CVE-2026-4105: systemd - A flaw was found in systemd. The systemd-machined service contains an Improper A... A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-contr

CVE-2026-29111 [MEDIUM] CVE-2026-29111: systemd - systemd, a system and service manager, (as PID 1) hits an assert and freezes exe... systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This I

CVE-2025-4598 [MEDIUM] CVE-2025-4598: systemd - A vulnerability was found in systemd-coredump. This flaw allows an attacker to f... A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, w

CVE-2023-50387 [HIGH] CVE-2023-50387: bind9 - Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and r... Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must eval

CVE-2023-50868 [HIGH] CVE-2023-50868: bind9 - The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276... The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash

CVE-2023-26604 [HIGH] CVE-2023-26604: systemd - systemd before 247 does not adequately block local privilege escalation for some... systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl

CVE-2023-7008 [MEDIUM] CVE-2023-7008: systemd - A vulnerability was found in systemd-resolved. This issue may allow systemd-reso... A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records. Scope: local bookworm: resolved (fixed in 252.21-1~deb12u1) bullseye: resolved (fixed in 247.3-7+deb11u6) forky: resolved (f

CVE-2023-31439 [MEDIUM] CVE-2023-31439: systemd - An issue was discovered in systemd 253. An attacker can modify the contents of p... An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." Scope: local bookworm: open bullseye: open forky: op

CVE-2023-31438 [MEDIUM] CVE-2023-31438: systemd - An issue was discovered in systemd 253. An attacker can truncate a sealed log fi... An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2023-31437 [MEDIUM] CVE-2023-31437: systemd - An issue was discovered in systemd 253. An attacker can modify a sealed log file... An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2022-2526 [CRITICAL] CVE-2022-2526: systemd - A use-after-free vulnerability was found in systemd. This issue occurs due to th... A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference

CVE-2022-4415 [MEDIUM] CVE-2022-4415: systemd - A vulnerability was found in systemd. This security flaw can cause a local infor... A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting. Scope: local bookworm: resolved (fixed in 252.4-1) bullseye: resolved (fixed in 247.3-7+deb11u2) forky: resolved (fixed in 252.4-1) sid: resolved (fixed in 252.4-1) trixie: resolved (fixed in 252.4-1)

CVE-2022-3821 [MEDIUM] CVE-2022-3821: systemd - An off-by-one Error issue was discovered in Systemd in format_timespan() functio... An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service. Scope: local bookworm: resolved (fixed in 251.3-1) bullseye: resolved (fixed in 247.3-7+deb11u2) forky: resolved (fixed in 2

CVE-2022-45873 [MEDIUM] CVE-2022-45873: systemd - systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by... systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock

CVE-2021-33910 [MEDIUM] CVE-2021-33910: systemd - basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memo... basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash. Scope: local bookworm: resolved (fixed in 247.3-6) bullseye: resolved (fixed in 247.3-6) forky: resolved (fixed in 247.3-6)

CVE-2021-3997 [MEDIUM] CVE-2021-3997: systemd - A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may l... A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp. Scope: local bookworm: resolved (fixed in 250.2-1) bullseye: resolved (fixed in 247.3-7) forky: resolved (fixed in 250.2-1) sid: resolved (fixed in 250.2-1) trixie: resolved (fixed in 250.2-1)

CVE-2020-1712 [HIGH] CVE-2020-1712: systemd - A heap use-after-free vulnerability was found in systemd before version v245-rc1... A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages. Scope: local bookworm: resolved

CVE-2020-13776 [CRITICAL] CVE-2020-13776: systemd - systemd through v245 mishandles numerical usernames such as ones composed of dec... systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082. Scope: local bookworm: resolved (fixed in 246-2) bullseye: resolved (f

CVE-2020-13529 [MEDIUM] CVE-2020-13529: systemd - An exploitable denial-of-service vulnerability exists in Systemd 245. A speciall... An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server. Scope: local bookworm: resolved (fixed in 249.4-2) bullseye: open forky

CVE-2019-3843 [HIGH] CVE-2019-3843: systemd - It was discovered that a systemd service that uses DynamicUser property can crea... It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled. Scope: lo