CVE-2026-40223

Published Apr 10, 2026

Last updated a month ago

CVSS medium 4.7

Overview

Description
In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and User=<unset> unit exists and is running.
Source
cve@mitre.org
NVD status
Analyzed
Products
systemd

Risk scores

CVSS 3.1

Type
Primary
Base score
5.5
Impact score
3.6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Severity
MEDIUM

Weaknesses

cve@mitre.org
CWE-696

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.CVE-2026-40226
  2. In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.CVE-2026-40225
  3. In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace.CVE-2026-40224
  4. In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set.CVE-2026-40228
  5. In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with an array or map that has a null element.CVE-2026-40227

References

Sources include official advisories and independent security research.