Systemd
Monthly
systemd-journald in systemd 259 allows local attackers to send ANSI escape sequences to terminals of arbitrary users via the logger utility when ForwardToWall=yes is enabled, enabling terminal manipulation and information disclosure attacks with low CVSS impact but realistic local access requirements.
Local root code execution in systemd's udev subsystem before version 260 allows attackers with physical access to craft malicious hardware devices that exploit unsanitized kernel output, achieving privilege escalation from local user context to root. The attack requires physical device insertion but no user interaction; CVSS 6.4 reflects the physical attack vector constraint, though successful exploitation grants complete system compromise. No public exploit code or active exploitation has been confirmed at time of analysis.
Local privilege escalation in systemd 259 before 260 allows authenticated local users to gain root-level access via varlink communication to systemd-machined, exploiting improper namespace isolation. The vulnerability requires low privileges, high attack complexity, and user interaction, affecting the systemd init system across Linux distributions. No public exploit code or active exploitation has been confirmed at time of analysis.
Local denial of service in systemd 258 through 259 allows unprivileged users to trigger an assertion failure by interacting with service units configured with Delegate=yes and no explicit User setting, causing the systemd daemon to crash. The vulnerability requires local access and specific unit configuration but poses moderate risk to system availability with a CVSS score of 4.7 and no active exploitation currently identified.
A vulnerability was found in systemd-coredump. Rated medium severity (CVSS 4.7). Public exploit code available and no vendor patch available.
A vulnerability was found in systemd-resolved. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An issue was discovered in systemd 253. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue was discovered in systemd 253. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in systemd 253. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.
A use-after-free vulnerability was found in systemd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user. Rated medium severity (CVSS 6.7). This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. Public exploit code available.
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.
It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.
In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.
An issue was discovered in sd-bus in systemd 239. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.
A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.
A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary files. Rated high severity (CVSS 7.0). Public exploit code available.
A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.
In systemd prior to 234 a race condition exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.
systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in the dns_packet_read_type_window() function of the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Stack-based buffer overflow in the getpwnam and getgrnam functions of the NSS module nss-mymachines in systemd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.
systemd-resolved through 233 allows remote attackers to cause a denial of service (daemon crash) via a crafted DNS response with an empty question section. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.
A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd timers features, allowing local attackers to escalate their privileges to root. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.
The manager_dispatch_notify_fd function in systemd allows local users to cause a denial of service (system hang) via a zero-length message received over a notify socket, which causes an error to be. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on. Rated medium severity (CVSS 6.3). No vendor patch available.
The SetX11Keyboard function in systemd, when PolicyKit Local Authority (PKLA) is used to change the group permissions on the X Keyboard Extension (XKB) layouts description, allows local users in the. Rated medium severity (CVSS 5.9). This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.
journald in systemd, when the origin of native messages is set to file, allows local users to cause a denial of service (logging service blocking) via a crafted file descriptor. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity.
systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. No vendor patch available.
Integer overflow in the valid_user_field function in journal/journald-native.c in systemd allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race. Rated medium severity (CVSS 6.9).
The rm_rf_children function in util.c in the systemd-logind login manager in systemd before 44, when logging out, allows local users to delete arbitrary files via a symlink attack on unspecified. Rated low severity (CVSS 3.3). Public exploit code available and no vendor patch available.
systemd-journald in systemd 259 allows local attackers to send ANSI escape sequences to terminals of arbitrary users via the logger utility when ForwardToWall=yes is enabled, enabling terminal manipulation and information disclosure attacks with low CVSS impact but realistic local access requirements.
Local root code execution in systemd's udev subsystem before version 260 allows attackers with physical access to craft malicious hardware devices that exploit unsanitized kernel output, achieving privilege escalation from local user context to root. The attack requires physical device insertion but no user interaction; CVSS 6.4 reflects the physical attack vector constraint, though successful exploitation grants complete system compromise. No public exploit code or active exploitation has been confirmed at time of analysis.
Local privilege escalation in systemd 259 before 260 allows authenticated local users to gain root-level access via varlink communication to systemd-machined, exploiting improper namespace isolation. The vulnerability requires low privileges, high attack complexity, and user interaction, affecting the systemd init system across Linux distributions. No public exploit code or active exploitation has been confirmed at time of analysis.
Local denial of service in systemd 258 through 259 allows unprivileged users to trigger an assertion failure by interacting with service units configured with Delegate=yes and no explicit User setting, causing the systemd daemon to crash. The vulnerability requires local access and specific unit configuration but poses moderate risk to system availability with a CVSS score of 4.7 and no active exploitation currently identified.
A vulnerability was found in systemd-coredump. Rated medium severity (CVSS 4.7). Public exploit code available and no vendor patch available.
A vulnerability was found in systemd-resolved. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An issue was discovered in systemd 253. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue was discovered in systemd 253. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in systemd 253. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.
A use-after-free vulnerability was found in systemd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user. Rated medium severity (CVSS 6.7). This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. Public exploit code available.
It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.
It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.
In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.
An issue was discovered in sd-bus in systemd 239. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.
A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.
A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary files. Rated high severity (CVSS 7.0). Public exploit code available.
A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.
In systemd prior to 234 a race condition exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.
systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in the dns_packet_read_type_window() function of the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Stack-based buffer overflow in the getpwnam and getgrnam functions of the NSS module nss-mymachines in systemd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.
systemd-resolved through 233 allows remote attackers to cause a denial of service (daemon crash) via a crafted DNS response with an empty question section. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.
A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd timers features, allowing local attackers to escalate their privileges to root. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.
The manager_dispatch_notify_fd function in systemd allows local users to cause a denial of service (system hang) via a zero-length message received over a notify socket, which causes an error to be. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on. Rated medium severity (CVSS 6.3). No vendor patch available.
The SetX11Keyboard function in systemd, when PolicyKit Local Authority (PKLA) is used to change the group permissions on the X Keyboard Extension (XKB) layouts description, allows local users in the. Rated medium severity (CVSS 5.9). This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.
journald in systemd, when the origin of native messages is set to file, allows local users to cause a denial of service (logging service blocking) via a crafted file descriptor. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity.
systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. No vendor patch available.
Integer overflow in the valid_user_field function in journal/journald-native.c in systemd allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race. Rated medium severity (CVSS 6.9).
The rm_rf_children function in util.c in the systemd-logind login manager in systemd before 44, when logging out, allows local users to delete arbitrary files via a symlink attack on unspecified. Rated low severity (CVSS 3.3). Public exploit code available and no vendor patch available.