Systemd
CVE-2019-6454
MEDIUM
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic).
AnalysisAI
An issue was discovered in sd-bus in systemd 239. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Out-of-bounds Write (CWE-787), which allows attackers to write data beyond allocated buffer boundaries leading to code execution or crashes. An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic). Affected products include: Systemd Project Systemd, Opensuse Leap, Netapp Active Iq Performance Analytics Services, Debian Debian Linux, Fedoraproject Fedora.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate write boundaries, use memory-safe languages, enable compiler protections (ASLR, stack canaries).
Stack-based buffer overflow in the getpwnam and getgrnam functions of the NSS module nss-mymachines in systemd. Rated cr
Integer overflow in the valid_user_field function in journal/journald-native.c in systemd allows remote attackers to cau
A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd tim
systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible su
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of
It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allo
A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution
systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local
In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using t
A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary
systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. Rated critical severity (CV
A use-after-free vulnerability was found in systemd. Rated critical severity (CVSS 9.8), this vulnerability is remotely
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today