MidnightBSD

Advisories for systemd_project

CVE-2013-4327 MEDIUM

systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
systemd_project systemd *
canonical ubuntu_linux 13.04
debian debian_linux 7.0
CVE-2013-4391 HIGH

Integer overflow in the valid_user_field function in journal/journald-native.c in systemd allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large journal data field, which triggers a heap-based buffer overflow.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
systemd_project systemd *
debian debian_linux 7.0
CVE-2013-4392 LOW

systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,CWE-59,

Products Affected

Vendor Product Version
systemd_project systemd *
CVE-2013-4393 LOW

journald in systemd, when the origin of native messages is set to file, allows local users to cause a denial of service (logging service blocking) via a crafted file descriptor.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
systemd_project systemd *
CVE-2013-4394 MEDIUM

The SetX11Keyboard function in systemd, when PolicyKit Local Authority (PKLA) is used to change the group permissions on the X Keyboard Extension (XKB) layouts description, allows local users in the group to modify the Xorg X11 Server configuration file and possibly gain privileges via vectors involving "special and control characters."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-276,

Products Affected

Vendor Product Version
systemd_project systemd *
debian debian_linux 7.0
CVE-2015-7510 HIGH

Stack-based buffer overflow in the getpwnam and getgrnam functions of the NSS module nss-mymachines in systemd.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
systemd_project systemd 223
CVE-2016-10156 HIGH

A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd timers features, allowing local attackers to escalate their privileges to root. This is fixed in v229.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
systemd_project systemd 228
CVE-2016-7795 MEDIUM

The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a notify socket.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
systemd_project systemd *
CVE-2016-7796 MEDIUM

The manager_dispatch_notify_fd function in systemd allows local users to cause a denial of service (system hang) via a zero-length message received over a notify socket, which causes an error to be returned and the notification handler to be disabled.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
novell suse_linux_enterprise_server_for_sap 12.0
systemd_project systemd 209
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 7.0
systemd_project systemd 213
novell suse_linux_enterprise_desktop 12
redhat enterprise_linux_hpc_node 7.0
systemd_project systemd 229
systemd_project systemd 214
novell suse_linux_enterprise_software_development_kit 12.0
novell suse_linux_enterprise_server 12.0
CVE-2017-1000082 HIGH

systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,

Products Affected

Vendor Product Version
systemd_project systemd *
CVE-2017-15908 MEDIUM

In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in the dns_packet_read_type_window() function of the 'systemd-resolved' service and cause a DoS of the affected service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
systemd_project systemd 230
systemd_project systemd 224
systemd_project systemd 226
systemd_project systemd 233
canonical ubuntu_linux 16.04
systemd_project systemd 229
systemd_project systemd 235
systemd_project systemd 225
systemd_project systemd 231
systemd_project systemd 223
systemd_project systemd 227
systemd_project systemd 232
systemd_project systemd 234
canonical ubuntu_linux 14.04
systemd_project systemd 228
CVE-2017-18078 MEDIUM

systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-59,

Products Affected

Vendor Product Version
systemd_project systemd *
opensuse leap 42.3
debian debian_linux 8.0
CVE-2017-9217 MEDIUM

systemd-resolved through 233 allows remote attackers to cause a denial of service (daemon crash) via a crafted DNS response with an empty question section.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
systemd_project systemd *
CVE-2017-9445 MEDIUM

In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
systemd_project systemd *
CVE-2018-1049 MEDIUM

In systemd prior to 234 a race condition exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint and any processes that try to use said mount will hang. A race condition like this may lead to denial of service, until mount points are unmounted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,CWE-362,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.4
canonical ubuntu_linux 16.04
systemd_project systemd *
redhat enterprise_linux_aus 7.4
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_tus 7.4
redhat enterprise_linux_aus 7.6
debian debian_linux 8.0
canonical ubuntu_linux 14.04
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux 7.0
CVE-2018-15686 HIGH

A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
systemd_project systemd *
debian debian_linux 8.0
canonical ubuntu_linux 18.10
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.4.0
canonical ubuntu_linux 18.04
CVE-2018-15687 MEDIUM

A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary files. Affected releases are systemd versions up to and including 239.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,CWE-362,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
systemd_project systemd *
canonical ubuntu_linux 18.10
canonical ubuntu_linux 18.04
CVE-2018-15688 MEDIUM

A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. Affected releases are systemd: versions up to and including 239.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
systemd_project systemd *
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_eus 7.6
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
canonical ubuntu_linux 18.10
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_tus 7.6
canonical ubuntu_linux 18.04
CVE-2018-16864 MEDIUM

An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
oracle enterprise_communications_broker 3.0.0
oracle enterprise_communications_broker 3.1.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.4
canonical ubuntu_linux 16.04
systemd_project systemd *
debian debian_linux 9.0
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server 7.4
redhat enterprise_linux_server 7.5
oracle communications_session_border_controller 8.0.0
debian debian_linux 8.0
redhat enterprise_linux_server_tus 7.3
oracle communications_session_border_controller 8.2.0
canonical ubuntu_linux 18.10
oracle communications_session_border_controller 8.1.0
redhat enterprise_linux_server 7.6
redhat enterprise_linux_server_tus 7.6
canonical ubuntu_linux 18.04
CVE-2018-16865 MEDIUM

An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
oracle enterprise_communications_broker 3.0.0
oracle enterprise_communications_broker 3.1.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.6
canonical ubuntu_linux 16.04
systemd_project systemd *
debian debian_linux 9.0
redhat enterprise_linux_server_eus 7.6
oracle communications_session_border_controller 8.0.0
debian debian_linux 8.0
redhat enterprise_linux_server_tus 7.3
oracle communications_session_border_controller 8.2.0
canonical ubuntu_linux 18.10
oracle communications_session_border_controller 8.1.0
redhat enterprise_linux_server_tus 7.6
canonical ubuntu_linux 18.04
CVE-2018-16866 LOW

An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,CWE-200,CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux_for_power_little_endian_eus 7.6
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_for_power_big_endian_eus 7.6
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_aus 7.6
debian debian_linux 9.0
netapp active_iq_performance_analytics_services -
redhat enterprise_linux_server_tus 7.4
redhat enterprise_linux_for_ibm_z_systems_eus 7.6
redhat enterprise_linux 7.6
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 7.6
canonical ubuntu_linux 18.10
redhat enterprise_linux_for_power_big_endian 7.0
redhat enterprise_linux_for_scientific_computing 7.0
redhat enterprise_linux_compute_node_eus 7.6
redhat enterprise_linux_for_ibm_z_systems_(structure_a) 7_s390x
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_update_services_for_sap_solutions 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 7.4
canonical ubuntu_linux 16.04
systemd_project systemd *
redhat enterprise_linux_for_power_little_endian 7.0
redhat enterprise_linux_server_update_services_for_sap_solutions 7.4
redhat enterprise_linux_server_tus 7.6
canonical ubuntu_linux 18.04
netapp element_software *
CVE-2018-16888 LOW

It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.0 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-250,CWE-269,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
systemd_project systemd *
netapp active_iq_performance_analytics_services -
canonical ubuntu_linux 19.10
netapp element_software -
redhat enterprise_linux 7.0
canonical ubuntu_linux 18.04
CVE-2018-20839 MEDIUM

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
netapp solidfire_&_hci_management_node -
systemd_project systemd 242
netapp snapprotect -
netapp cn1610_firmware -
CVE-2018-21029 HIGH

systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent, and there is no hostname validation with the GnuTLS backend. NOTE: This has been disputed by the developer as not a vulnerability since hostname validation does not have anything to do with this issue (i.e. there is no hostname to be sent)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-295,

Products Affected

Vendor Product Version
fedoraproject fedora 31
systemd_project systemd *
CVE-2018-6954 HIGH

systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-59,CWE-59,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
systemd_project systemd *
opensuse leap 42.3
canonical ubuntu_linux 18.10
canonical ubuntu_linux 18.04
CVE-2019-15718 LOW

In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 1.8 2.5

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 31
fedoraproject fedora 30
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_server_update_services_for_sap_solutions 8.1
redhat enterprise_linux_for_ibm_z_systems_eus_s390x 8.1
redhat enterprise_linux_for_power_little_endian_eus 8.4
redhat enterprise_linux_for_ibm_z_systems_8_s390x *
redhat enterprise_linux_for_ibm_z_systems_eus_s390x 8.2
redhat enterprise_linux_server_tus 8.4
fedoraproject fedora 29
redhat enterprise_linux_for_ibm_z_systems_eus 8.2
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.2
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_for_ibm_z_systems_eus 8.4
systemd_project systemd 240
redhat enterprise_linux_for_ibm_z_systems_eus 8.1
redhat openshift_container_platform 4.1
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.1
redhat enterprise_linux_for_power_little_endian_eus 8.2
redhat enterprise_linux_server_tus 8.2
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_server_update_services_for_sap_solutions 8.4
redhat enterprise_linux 8.0
redhat enterprise_linux_eus 8.4
redhat enterprise_linux_server_update_services_for_sap_solutions 8.2
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4
redhat enterprise_linux_for_power_little_endian_eus 8.1
redhat enterprise_linux_server_aus 8.2
CVE-2019-20386 LOW

An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.4 LOW CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 0.9 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-401,CWE-401,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
systemd_project systemd *
netapp steelstore_cloud_integrated_storage -
fedoraproject fedora 30
netapp active_iq_unified_manager -
netapp cloud_backup -
opensuse leap 15.1
canonical ubuntu_linux 19.10
canonical ubuntu_linux 18.04
CVE-2019-3842 MEDIUM

In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the "allow_active" element rather than "allow_any".

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-285,CWE-863,

Products Affected

Vendor Product Version
systemd_project systemd *
systemd_project systemd 242
fedoraproject fedora 30
debian debian_linux 8.0
redhat enterprise_linux 7.0
CVE-2019-3843 MEDIUM

It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-266,CWE-269,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
systemd_project systemd *
fedoraproject fedora 30
canonical ubuntu_linux 19.10
netapp solidfire -
netapp snapprotect -
netapp cn1610_firmware -
netapp hci_management_node -
canonical ubuntu_linux 18.04
CVE-2019-3844 MEDIUM

It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-268,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
systemd_project systemd *
canonical ubuntu_linux 19.10
netapp solidfire -
netapp snapprotect -
netapp cn1610_firmware -
netapp hci_management_node -
canonical ubuntu_linux 18.04
CVE-2019-6454 MEDIUM

An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_for_ibm_z_systems_eus 7.5
redhat enterprise_linux_server_update_services_for_sap_solutions 7.3
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_server_update_services_for_sap_solutions 8.1
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_for_power_big_endian_eus 7.4
redhat enterprise_linux_for_power_little_endian_eus 8.4
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_for_ibm_z_systems_eus 7.4
redhat enterprise_linux_server_tus 7.4
redhat enterprise_linux_compute_node_eus 7.5
fedoraproject fedora 29
canonical ubuntu_linux 18.10
redhat enterprise_linux_for_ibm_z_systems_eus 8.2
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_for_power_little_endian_eus 7.4
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_for_ibm_z_systems_eus 8.4
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 8.2
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 7.4
redhat enterprise_linux_eus 8.1
redhat enterprise_linux 8.0
redhat enterprise_linux_server_update_services_for_sap_solutions 7.4
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 7.3
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_tus 8.4
mcafee web_gateway *
redhat enterprise_linux_server_update_services_for_sap_solutions 8.0
debian debian_linux 9.0
netapp active_iq_performance_analytics_services -
debian debian_linux 8.0
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.2
redhat enterprise_linux_eus 7.5
opensuse leap 15.0
redhat enterprise_linux_for_ibm_z_systems_eus 8.1
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.1
redhat enterprise_linux_for_power_little_endian_eus 8.2
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.0
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux_for_power_little_endian_eus 7.5
canonical ubuntu_linux 16.04
redhat enterprise_linux_eus 8.4
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_update_services_for_sap_solutions 8.2
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_for_power_little_endian_eus 8.1
canonical ubuntu_linux 18.04
systemd_project systemd 239
CVE-2020-13529 LOW

An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H 1.6 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-290,CWE-290,

Products Affected

Vendor Product Version
netapp active_iq_unified_manager -
netapp cloud_backup -
fedoraproject fedora 33
systemd_project systemd 245
CVE-2020-13776 MEDIUM

systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,CWE-269,

Products Affected

Vendor Product Version
systemd_project systemd *
netapp solidfire_&_hci_management_node -
netapp active_iq_unified_manager -
fedoraproject fedora 32
CVE-2020-1712 MEDIUM

A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
systemd_project systemd *
debian debian_linux 9.0
redhat enterprise_linux 8.0
redhat ceph_storage 4.0
redhat migration_toolkit 1.0
redhat openshift_container_platform 4.0
redhat discovery -
CVE-2021-33910 MEDIUM

basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
systemd_project systemd *
fedoraproject fedora 34
debian debian_linux 10.0
netapp solidfire -
fedoraproject fedora 33
netapp hci_management_node -
CVE-2021-3997

A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
systemd_project systemd *
redhat enterprise_linux 8.0
fedoraproject fedora 35
fedoraproject fedora 34
redhat enterprise_linux 9.0
redhat enterprise_linux 7.0
CVE-2022-2526

A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later.

Products Affected

Vendor Product Version
netapp h300s_firmware -
netapp h410s_firmware -
netapp active_iq_unified_manager -
netapp h500s_firmware -
netapp h700s_firmware -
systemd_project systemd 240
CVE-2022-3821

An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.

Products Affected

Vendor Product Version
systemd_project systemd *
redhat enterprise_linux 8.0
fedoraproject fedora 35
redhat enterprise_linux 9.0
CVE-2022-4415

A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.

Products Affected

Vendor Product Version
systemd_project systemd *
CVE-2022-45873

systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
systemd_project systemd *
fedoraproject fedora 36
systemd_project systemd 252
CVE-2023-26604

systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
systemd_project systemd *
debian debian_linux 10.0
CVE-2023-31437

An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Products Affected

Vendor Product Version
systemd_project systemd 253
CVE-2023-31438

An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Products Affected

Vendor Product Version
systemd_project systemd 253
CVE-2023-31439

An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Products Affected

Vendor Product Version
systemd_project systemd 253
CVE-2023-7008

A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

Products Affected

Vendor Product Version
systemd_project systemd 25
CVE-2025-4598

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.0 3.6

Products Affected

Vendor Product Version
systemd_project systemd *
redhat enterprise_linux 8.0
debian debian_linux 11.0
oracle linux 9
redhat enterprise_linux 9.0
linux linux_kernel *
redhat openshift_container_platform 4.0
debian debian_linux 12.0
oracle linux 8
redhat enterprise_linux 10.0
redhat enterprise_linux 7.0
CVE-2026-40223

In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and User=<unset> unit exists and is running.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.0 3.6
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
systemd_project systemd *
CVE-2026-40224

In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 6.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 0.8 5.9
nvd@nist.gov 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 1.3 5.9

Products Affected

Vendor Product Version
systemd_project systemd *
CVE-2026-40225

In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 6.4 MEDIUM CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 0.5 5.9

Products Affected

Vendor Product Version
systemd_project systemd *