CVE-2026-40228

Published Apr 10, 2026

Last updated 21 days ago

CVSS low 2.9

Overview

Description
In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set.
Source
cve@mitre.org
NVD status
Modified
Products
systemd

Risk scores

CVSS 3.1

Type
Primary
Base score
3.3
Impact score
1.4
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Severity
LOW

Weaknesses

cve@mitre.org
CWE-669

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with an array or map that has a null element.CVE-2026-40227
  2. In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.CVE-2026-40226
  3. In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.CVE-2026-40225
  4. In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace.CVE-2026-40224
  5. In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and User=<unset> unit exists and is running.CVE-2026-40223

References

Sources include official advisories and independent security research.