Skip to main content

Systemd EUVDEUVD-2026-21399

| CVE-2026-40225 MEDIUM
Incorrect Resource Transfer Between Spheres (CWE-669)
2026-04-10 mitre GHSA-396h-m3pm-fpm5
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Physical
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
260
EUVD ID Assigned
Apr 10, 2026 - 16:00 euvd
EUVD-2026-21399
Analysis Generated
Apr 10, 2026 - 16:00 vuln.today
CVE Published
Apr 10, 2026 - 15:16 nvd
MEDIUM 6.4

DescriptionCVE.org

In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.

AnalysisAI

Local root code execution in systemd's udev subsystem before version 260 allows attackers with physical access to craft malicious hardware devices that exploit unsanitized kernel output, achieving privilege escalation from local user context to root. The attack requires physical device insertion but no user interaction; CVSS 6.4 reflects the physical attack vector constraint, though successful exploitation grants complete system compromise. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

The vulnerability resides in systemd's udev (userspace device manager), which handles device hotplug events and executes rules-based actions in response to kernel device notifications. The flaw stems from inadequate sanitization of kernel-supplied device attributes (CWE-669: Inadequate Control Flow Management), allowing malicious hardware or firmware to inject crafted data that udev processes without proper validation. When udev processes these unsanitized kernel outputs during device enumeration or rule evaluation, the attacker-controlled data can trigger unintended code paths. The affected product is systemd versions 0 through 259; systemd 260 and later patch this vulnerability. The physical attack vector (AV:P) indicates the attacker must have local hardware access, distinguishing this from network-exploitable flaws, though once triggered, the execution context runs with root privileges via the udevd daemon.

RemediationAI

Upgrade systemd to version 260 or later, which contains the patch to sanitize kernel device output in udev. Most distributions provide updated systemd packages through their standard repositories; administrators should apply the update via their distribution's package manager (e.g., apt update && apt upgrade systemd on Debian-based systems, or yum update systemd on RHEL-based systems). For systems unable to upgrade immediately, physical access controls and device whitelist policies (via udev rules) can reduce risk by restricting which hardware devices trigger rule execution. Refer to the official systemd security advisory at https://github.com/systemd/systemd/security/advisories/GHSA-vpfq-8p5f-jcqx for distribution-specific patch availability and timelines. No workaround fully mitigates the vulnerability without patching, as the flaw is in the kernel interface parsing layer itself.

CVE-2015-7510 CRITICAL POC
9.8 Sep 25

Stack-based buffer overflow in the getpwnam and getgrnam functions of the NSS module nss-mymachines in systemd. Rated cr

CVE-2013-4391 HIGH POC
7.5 Oct 28

Integer overflow in the valid_user_field function in journal/journald-native.c in systemd allows remote attackers to cau

CVE-2016-10156 HIGH POC
7.8 Jan 23

A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd tim

CVE-2023-26604 HIGH POC
7.8 Mar 03

systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible su

CVE-2019-3844 HIGH POC
7.8 Apr 26

It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of

CVE-2019-3843 HIGH POC
7.8 Apr 26

It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allo

CVE-2018-15686 HIGH POC
7.8 Oct 26

A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution

CVE-2018-6954 HIGH POC
7.8 Feb 13

systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local

CVE-2019-3842 HIGH POC
7.0 Apr 09

In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using t

CVE-2018-15687 HIGH POC
7.0 Oct 26

A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary

CVE-2017-1000082 CRITICAL
9.8 Jul 07

systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. Rated critical severity (CV

CVE-2022-2526 CRITICAL
9.8 Sep 09

A use-after-free vulnerability was found in systemd. Rated critical severity (CVSS 9.8), this vulnerability is remotely

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

EUVD-2026-21399 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy