Systemd vulnerabilities

CVE-2026-40227 [MEDIUM] CWE-1025 CVE-2026-40227: In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with an array or map that has a null element.

CVE-2026-40223 [MEDIUM] CWE-696 CVE-2026-40223: In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and U In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and User= unit exists and is running.

CVE-2026-40226 [MEDIUM] CWE-348 CVE-2026-40226: In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted op In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.

CVE-2026-40224 [MEDIUM] CWE-863 CVE-2026-40224: In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink c In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace.

CVE-2026-40225 [MEDIUM] CWE-669 CVE-2026-40225: In udev in systemd before 260, local root execution can occur via malicious hardware devices and uns In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.

CVE-2026-40228 [LOW] CWE-669 CVE-2026-40228: In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set.

CVE-2026-29111 [MEDIUM] CWE-269 CVE-2026-29111: systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unpri systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert

CVE-2012-1101 [MEDIUM] CVE-2012-1101: systemd 37-1 does not properly handle non-existent services, which causes a denial of service (failu systemd 37-1 does not properly handle non-existent services, which causes a denial of service (failure of login procedure).

CVE-2018-15687 [HIGH] CWE-362 CVE-2018-15687: A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary perm A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary files. Affected releases are systemd versions up to and including 239.

CVE-2018-15686 [HIGH] CWE-502 CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across s A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.

CVE-2018-15688 [HIGH] CWE-120 CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to ov A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. Affected releases are systemd: versions up to and including 239.