Systemd Project Systemd vulnerabilities

CVE-2025-4598 [MEDIUM] CWE-364 CVE-2025-4598: A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type o

CVE-2023-7008 [MEDIUM] CWE-300 CVE-2023-7008: A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept recor A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

CVE-2023-31438 [MEDIUM] CWE-354 CVE-2023-31438: An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume l An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

CVE-2023-31439 [MEDIUM] CWE-354 CVE-2023-31439: An issue was discovered in systemd 253. An attacker can modify the contents of past events in a seal An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

CVE-2023-31437 [MEDIUM] CWE-354 CVE-2023-31437: An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

CVE-2023-26604 [HIGH] CWE-269 CVE-2023-26604: systemd before 247 does not adequately block local privilege escalation for some Sudo configurations systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when ru

CVE-2022-4415 [MEDIUM] CWE-200 CVE-2022-4415: A vulnerability was found in systemd. This security flaw can cause a local information leak due to s A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.

CVE-2022-45873 [MEDIUM] CWE-400 CVE-2022-45873: systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to caus

CVE-2022-3821 [MEDIUM] CWE-193 CVE-2022-3821: An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.

CVE-2022-2526 [CRITICAL] CWE-416 CVE-2022-2526: A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() fun A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when

CVE-2021-3997 [MEDIUM] CWE-674 CVE-2021-3997: A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of s A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp.

CVE-2021-33910 [MEDIUM] CWE-770 CVE-2021-33910: basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with a basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.

CVE-2020-13529 [MEDIUM] CWE-290 CVE-2020-13529: An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCE An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.

CVE-2020-13776 [MEDIUM] CVE-2020-13776: systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x fo systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.

CVE-2020-1712 [HIGH] CWE-416 CVE-2020-1712: A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.

CVE-2012-1101 [MEDIUM] CVE-2012-1101: systemd 37-1 does not properly handle non-existent services, which causes a denial of service (failu systemd 37-1 does not properly handle non-existent services, which causes a denial of service (failure of login procedure).

CVE-2019-20386 [LOW] CWE-401 CVE-2019-20386: An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executin An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.

CVE-2018-21029 [CRITICAL] CWE-295 CVE-2018-21029: systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Ov systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent, and there is no hostname validation with the GnuTLS backend. NOTE: This has been disputed by the developer as not a vulnerability since hostname validation does not have anything to do with this issu

CVE-2019-15718 [MEDIUM] CVE-2019-15718: In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order

CVE-2018-20839 [MEDIUM] CVE-2018-20839: systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords i systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.