Skip to main content

Red Hat CVE-2026-40226

| EUVDEUVD-2026-21400 MEDIUM
Use of Less Trusted Source (CWE-348)
2026-04-10 mitre GHSA-hc7r-6254-88w5
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
260
EUVD ID Assigned
Apr 10, 2026 - 16:00 euvd
EUVD-2026-21400
Analysis Generated
Apr 10, 2026 - 16:00 vuln.today
CVE Published
Apr 10, 2026 - 15:18 nvd
MEDIUM 6.4

DescriptionCVE.org

In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.

AnalysisAI

Escape-to-host vulnerability in systemd nspawn (versions 233-259) allows local privileged users to break container isolation via a crafted optional config file, enabling arbitrary code execution on the host system. CVSS 6.4 reflects high integrity and confidentiality impact but requires high privilege and difficult attack conditions. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

systemd's nspawn is a lightweight container runtime that isolates processes using Linux namespaces and cgroups. The vulnerability resides in nspawn's config file parsing logic (CWE-348: Incorrect Calculation of Buffer Size for String Copy), where insufficient validation of optional configuration parameters allows a malicious config to manipulate namespace boundaries or resource restrictions. An attacker with high privileges (root or systemd-nspawn user) within the container or with write access to nspawn configuration directories can craft a config file that bypasses containerization controls, granting access to the host filesystem, network, and process space. The affected CPE cpe:2.3:a:systemd:systemd:*:*:*:*:*:*:*:* spans all systemd installations using nspawn; the version range 233-259 is vulnerable.

RemediationAI

Vendor-released patch: systemd version 260 and later. Affected users should upgrade systemd immediately to version 260 or newer via their distribution's package manager (e.g., apt upgrade systemd on Debian/Ubuntu, dnf upgrade systemd on Fedora/RHEL). Users unable to upgrade immediately should restrict file permissions on nspawn configuration directories (/etc/systemd/nspawn/, /run/systemd/nspawn/, and user-local equivalents) to prevent unauthorized creation or modification of container config files by non-root users. Refer to GitHub Security Advisory GHSA-9mj4-rrc3-gjcx (https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx) for detailed advisory and additional context.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Micro 5.2 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected

Share

CVE-2026-40226 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy