Severity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set.
AnalysisAI
systemd-journald in systemd 259 allows local attackers to send ANSI escape sequences to terminals of arbitrary users via the logger utility when ForwardToWall=yes is enabled, enabling terminal manipulation and information disclosure attacks with low CVSS impact but realistic local access requirements.
Technical ContextAI
systemd-journald is the system logging daemon in systemd that handles journal entries and message wall notifications. The vulnerability exists in the wall message forwarding mechanism (ForwardToWall configuration option) which broadcasts emergency-level log messages to all logged-in users' terminals. The issue stems from insufficient sanitization of ANSI escape sequences in log data before forwarding to user terminals. CWE-669 (Incorrect Resource Transfer Between Spheres) indicates the core problem: untrusted data from the logger command is transferred to terminal contexts without proper filtering, allowing escape sequence injection. This affects systemd version 259 across all architectures and distributions that package this version with ForwardToWall functionality enabled or configurable by unprivileged users.
RemediationAI
Upgrade systemd to a patched version beyond 259 released by your distribution. As a temporary workaround, disable the ForwardToWall option by setting ForwardToWall=no in /etc/systemd/journald.conf or the corresponding configuration file for your system, then restart systemd-journald with systemctl restart systemd-journald. Restrict logger command invocation to trusted users via sudo or AppArmor/SELinux policies if ForwardToWall must remain enabled. Consult your distribution's security advisories and the systemd GitHub repository (https://github.com/systemd/systemd) for specific patched release versions.
Stack-based buffer overflow in the getpwnam and getgrnam functions of the NSS module nss-mymachines in systemd. Rated cr
Integer overflow in the valid_user_field function in journal/journald-native.c in systemd allows remote attackers to cau
A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd tim
systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible su
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of
It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allo
A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution
systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local
In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using t
A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary
systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. Rated critical severity (CV
A use-after-free vulnerability was found in systemd. Rated critical severity (CVSS 9.8), this vulnerability is remotely
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21498