CVE-2021-33910

CVE-2021-33910 affects systemd prior to versions 246.15, 247.8, 248.5, and 249.1. The root cause is a Memory Allocation with an Excessive Size Value in basic/unit-name.c involving strdupa and alloca for a pathname controlled by a local attacker, leading to a crash of the operating system (denial ...

CVE-2019-20386

CVE-2019-20386 affects systemd and is caused by a memory leak in button_open() invoked when handling udev events via login/logind-button.c, enabling local DoS under certain conditions. Public doks confirm exploit path through udevadm trigger to trigger memory leak and potential denial of service....

CVE-2019-6454

CVE-2019-6454 affects systemd’s bus_process_object() which allocates a large stack buffer for the object path in D-Bus messages. A locally unprivileged user can send a crafted message to PID1, causing the stack pointer to jump past guard pages and crash systemd PID1, potentially triggering a kern...

CVE-2019-3842

The CVE-2019-3842 issue affects systemd’s pam_systemd, where improper sanitization of the XDG_SEAT environment variable could enable commands to be checked against polkit policies using the "allow_active" element instead of "allow_any" in some configurations. This is a local vulnerability (enviro...

CVE-2018-16865

CVE-2018-16865 affects systemd-journald (journald) and was described across multiple sources as a memory-allocation/stack-clash vulnerability. The issue occurs when many entries are sent to the journal socket (or via remote journald-remote) and can allow crash or code execution. Affected versions...

CVE-2021-3997

CVE-2021-3997 affects systemd with an uncontrolled recursion in systemd-tmpfiles that can cause a denial of service at boot when many nested /tmp directories are created. Connected documents confirm the issue and indicate remediation through updated systemd packages (e.g., Mariner cites versions

CVE-2018-16864

CVE-2018-16864 affects systemd-journald. The connected advisories confirm a memory-management issue in journald (and a backport memory leak in journald-server.c) that can crash journald or enable privilege escalation on local hosts. Root cause: memory allocations for command-line/state data not p...

CVE-2018-15688

CVE-2018-15688 is a buffer/heap overwrite in the dhcpv6 option handling of systemd-networkd (systemd up to 239). A malicious DHCPv6 server on the same network could trigger an out-of-bounds write, potentially causing a Denial of Service or code execution. Affected products include systemd with ve...

CVE-2018-16866

CVE-2018-16866 is a systemd-journald out-of-bounds read vulnerability. The flaw arises in how journald parses log messages that terminate with a colon, allowing a local attacker to disclose process memory data. Affected versions are reported as v221–v239. Public advisories and vendor notes (e.g.,...

CVE-2022-4415

CVE-2022-4415 affects systemd and related components, with the root cause in systemd-coredump not respecting fs.suid_dumpable, enabling local information leakage. Affected packages include systemd and systemd-coredump across distributions; older releases (pre-patched) are vulnerable. The exploita...

CVE-2022-2526

CVE-2022-2526 is a use-after-free in systemd’s DNS stream handling (resolved-dns-stream.c). The root cause is that on_stream_io() and dns_stream_complete() do not increment the DnsStream reference count, allowing callbacks to dereference freed objects. Documents indicate this can lead to crashes ...

CVE-2025-4598

The CVE-2025-4598 entry concerns a race condition in systemd-coredump that can let a local attacker read a crashed SUID process’s core dump. Affected component is systemd and its coredump handling; root cause is a kill-and-replace race where the kernel recycles a PID before systemd-coredump can a...

CVE-2020-13529

CVE-2020-13529 is a systemd denial-of-service/remote reconfiguration vulnerability tied to DHCP FORCERENEW handling. The connected documents confirm a DHCP FORCERENEW/ACK pairing can allow an attacker to reconfigure a systemd-managed DHCP client. The issue affects systemd components (e.g., system...

CVE-2018-15686

CVE-2018-15686 affects systemd up to version 239, where unit_deserialize can be manipulated via NotifyAccess to inject arbitrary state across re-execution, potentially enabling root privilege escalation. Exploitation has been demonstrated (e.g., exploit-db link in references). Remediation is to u...

CVE-2018-1049

CVE-2018-1049 describes a race condition in systemd prior to version 234 between .mount and .automount units, where automount requests from the kernel may not be serviced, causing the mountpoint to hang for affected processes and leading to denial of service. Connected advisories and Nessus plugi...

CVE-2019-15718

CVE-2019-15718 affects systemd (notably systemd 240) where bus_open_system_watch_bind_with_description in shared/bus-util.c calls sd_bus_set_trusted, disabling access controls for incoming D-Bus messages. This allows an unprivileged user to invoke D-Bus methods that should be restricted, enabling...

CVE-2020-1712

CVE-2020-1712 affects systemd; a heap use-after-free occurs when asynchronous Polkit queries are performed while handling dbus messages. Local unprivileged attackers can crash systemd services or potentially execute code to elevate privileges by sending crafted dbus messages. Public details acros...

CVE-2023-26604

CVE-2023-26604 affects systemd before 247. The root cause is that systemd does not set LESSSECURE=1, allowing less to spawn as root and enabling local privilege escalation when systemctl is used from sudo. Existence of substantiated impact: local privilege escalation with high severity. Remediati...

CVE-2023-7008

CVE-2023-7008 affects systemd-resolved in systemd by allowing DNSSEC-signed domains to be accepted even when unsigned, enabling record manipulation by an attacker via MITM or upstream resolver. Connected advisories confirm a fix is available in patched systemd packages (e.g., Debian 247.3-7+deb11...

CVE-2023-31437

Summary: CVE-2023-31437 affects systemd 253. An attacker could modify a sealed log file so that, in some views, not all existing and sealed log messages are displayed. The vendor reportedly denied this as a vulnerability. The connected sources (NVD, OSV entries) describe the issue but do not prov...

CVE-2018-16888

CVE-2018-16888 affects systemd. When a service runs as an unprivileged user, a local attacker who can write to the service’s PIDFile may trick systemd into killing other services and/or privileged processes. Vulnerable versions are those before v237. Remediation: update systemd to a fixed version...

CVE-2022-3821

The CVE-2022-3821 issue is an off-by-one buffer overrun in systemd’s format_timespan() within time-util.c that can cause a Denial of Service when specific time and accuracy values are supplied. Multiple connected sources confirm the vulnerability in systemd and reference a patched package update ...

CVE-2018-6954

CVE-2018-6954 affects systemd-tmpfiles in systemd up to version 237. The flaw arises from mishandling of symlinks present in non-terminal path components, enabling a local user to obtain ownership of arbitrary files by creating a directory and a file within it, then replacing the directory with a...

CVE-2017-15908

CVE-2017-15908 affects systemd 223–235 where a remote DNS server can reply with a crafted DNS NSEC RR to trigger an infinite loop in dns_packet_read_type_window() of systemd-resolved, causing DoS. Public advisories (Ubuntu USN-3558-1) reference CVE-2017-15908; related OpenVAS/Nessus entries docum...

CVE-2020-13776

CVE-2020-13776 (systemd) affects systemd up to version v245, where it mishandles usernames that start with decimal digits or 0x followed by hex digits. This can enable privilege escalation to root, as demonstrated by the 0x0 user account scenario. The issue is noted as a consequence of an incompl...

CVE-2017-18078

The CVE-2017-18078 issue affects systemd-tmpfiles in systemd prior to 237. The root cause is that tmpfiles may attempt ownership/permission changes on hardlinked files even when fs.protected_hardlinks is off, enabling a local attacker to bypass access restrictions by using a hard link to a file t...

CVE-2019-3844

Summary (CVE-2019-3844): Affected component is systemd with DynamicUser; a local attacker can create SUID/SGID binaries and gain access to resources owned by a potentially different service after the transient UID/GID is recycled. This is a local privilege escalation vulnerability. Remediation fo...

CVE-2023-31439

CVE-2023-31439 : Affects systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file so that integrity checking shows no error, despite modifications. The Initial Description notes the vendor replied denying that this finding is a security vulnera...

CVE-2019-3843

CVE-2019-3843 concerns systemd's DynamicUser feature, where a service can create a SUID/SGID binary and retain it under a transient UID/GID after termination. The result is a local attacker potentially accessing resources owned by a different service in the future when UID/GID are recycled, as de...

CVE-2022-45873

CVE-2022-45873 affects systemd 250/251, enabling a local attacker to trigger a crash in systemd-coredump via a recursive crash in parse_elf_object, building an excessively deep backtrace that can deadlock the service. Exploitation described as calling the same function recursively and placing the...

CVE-2013-4327

CVE-2013-4327 describes a Polkit race condition used when systemd communicates with a polkit authority via D-Bus, enabling local users to bypass access restrictions using a PolkitUnixProcess PolkitSubject race with (1) setuid processes or (2) pkexec. Connected advisories (GLSA-201406-27, related ...

CVE-2018-20839

The CVE-2018-20839 entry concerns systemd 242, where a mishandled KDGKBMODE (current keyboard mode) check causes VT1 mode changes on logout. This can allow an attacker with physical access (watching shutdown or switching TTYs via Ctrl-Alt-F1/F2) to read cleartext passwords in certain scenarios. T...

CVE-2013-4392

CVE-2013-4392 pertains to systemd: during file permission updates, a symlink attack on unspecified files lets local users change permissions and SELinux contexts of arbitrary files. Root cause is a symlink-based manipulation affecting file metadata via systemd’s permission-update logic. The CVSS ...

CVE-2017-1000082

Technical details about CVE-2017-1000082 are not provided in the connected documents. The available material only reiterates that systemd v233 and earlier mishandle usernames starting with digits, with no additional vendor/version or remediation specifics.

CVE-2017-9445

The CVE-2017-9445 issue affects systemd up to version 233, where dns_packet_new in systemd-resolved may allocate a buffer that is too small when processing DNS responses. A malicious DNS server can craft a TCP payload to trigger an out-of-bounds write, potentially enabling remote code execution o...

CVE-2018-15687

CVE-2018-15687 : A race condition in systemd's chown_one() was identified as a local privilege-escalation flaw, potentially allowing a local attacker to set arbitrary permissions on files. Affected products include systemd up to version 239. The issue is fixed in patched releases; multiple adviso...

CVE-2018-21029

CVE-2018-21029 affects systemd 239–245, where DNS over TLS accepts any CA-signed certificate because hostname validation is not performed with the GnuTLS backend and SNI is not sent. This creates potential exposure of confidentiality/integrity/availability for DNS over TLS connections, with CVSS ...

CVE-2016-7796

The CVE-2016-7796 vulnerability affects the systemd manager_dispatch_notify_fd path, where a local user can send a zero-length message on the notify socket, causing an error, disabling the notification handler and potentially leading to a system hang. Connected advisories (e.g., SUSE/OpenVAS/OSV ...

CVE-2012-0871

CVE-2012-0871 concerns systemd-logind’s session_link_x11_socket vulnerability in systemd (possibly 37 and earlier). A local user can exploit a symlink attack on /run/user/ to create or overwrite arbitrary files via login/logind-session.c. Multiple sources confirm the issue and describe affected c...

CVE-2016-10156

The CVE-2016-10156 issue affects systemd v228, where a flaw in /src/basic/fs-util.c caused world-writable SUID files to be created via systemd timers. This could allow a local attacker to escalate privileges to root. The vulnerability is fixed in systemd v229, and multiple advisories (SUSE/SLES o...

CVE-2013-4393

CVE-2013-4393 concerns the journald component of systemd. The vulnerability occurs when the origin of native messages is set to file, allowing a local attacker to trigger a denial of service (logging service blocking) by using a crafted file descriptor. The impact described in connected sources i...

CVE-2015-7510

CVE-2015-7510 is a stack-based buffer overflow in the NSS module nss-mymachines of systemd, specifically in getpwnam and getgrnam. The vulnerability is described as enabling a crash/DoS under exploitation of the NSS functions. Public references show patches/update activity (e.g., systemd commit a...

CVE-2016-7795

CVE-2016-7795 affects systemd 231 and earlier, where manager_invoke_notify_message processes a zero-length notify socket message, enabling local users to trigger denial of service (assertion failure and PID 1 hang). Connected advisories (e.g., MiracleLinux AXSA-2016-832:08 and EulerOS security ad...

CVE-2017-9217

CVE-2017-9217 affects systemd-resolved up to version 233; a crafted DNS response with an empty question section can trigger a remote denial of service (daemon crash). The vulnerability is documented in multiple advisories (e.g., SUSE-SU-2017:2031-1) and is fixed by applying the systemd security u...

CVE-2013-4391

CVE-2013-4391 : Integer overflow in systemd’s journald-native.c (valid_user_field) allows remote attackers to crash the service and possibly execute code via a very large journal data field, triggering a heap-based buffer overflow. Documented impact includes denial of service and potential arbitr...

CVE-2013-4394

CVE-2013-4394 concerns systemd’s SetX11Keyboard function. When PKLA is used to change group permissions on XKB layouts, local users in that group may modify the Xorg X11 Server configuration file and potentially gain privileges through vectors involving special and control characters. The vulnera...

CVE-2012-1101

CVE-2012-1101 affects systemd 37-1. The issue occurs when non-existent services are not handled properly, resulting in a denial of service during login. The impact described is a failure of the login procedure with an availability impact. The connected documents provide this same description and ...

CVE-2023-31438

Mode C: Affected product: systemd 253. Issue: attacker can truncate a sealed log file and then resume log sealing to make integrity checks pass despite modifications. Connected Red Hat doc for CVE-2023-31438 repeats this description and notes the vendor’s reply denying that it is a security vulne...

CVE-2026-29111

CVE-2026-29111: systemd local unprivileged user can trigger an assert via an unprivileged IPC API call with spurious data. The issue affects versions from v239 onward; older than v239 are not affected, while v249 and older exhibited stack overwriting, attacker-controlled content. Patches exist in...

CVE-2026-40226

The CVE affects systemd-nspawn: versions 233–259 (before 260) are vulnerable. A crafted optional config file can trigger an escape-to-host action. Root cause is not detailed beyond this vector in the provided docs. Remediation implied by the reference is upgrading to systemd 260 or later to mitig...