CVE-2026-40224

Published Apr 10, 2026

Last updated a month ago

CVSS medium 6.7

Overview

Description
In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace.
Source
cve@mitre.org
NVD status
Analyzed
Products
systemd

Risk scores

CVSS 3.1

Type
Primary
Base score
7.3
Impact score
5.9
Exploitability score
1.3
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

cve@mitre.org
CWE-863

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with an array or map that has a null element.CVE-2026-40227
  2. In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.CVE-2026-40225
  3. In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.CVE-2026-40226
  4. In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set.CVE-2026-40228
  5. In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and User=<unset> unit exists and is running.CVE-2026-40223

References

Sources include official advisories and independent security research.