| Package | systemd |
|---|---|
| Version | 241-7~deb10u12 (buster) |
| Related CVEs | CVE-2026-4105 CVE-2026-29111 CVE-2026-40225 CVE-2026-40226 |
The following vulnerabilities have been discovered systemd:
- CVE-2026-4105
-
The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.
- CVE-2026-29111
-
When an unprivileged IPC API call is made with spurious data, a stack overwrite occurs, with the attacker controlled content.
- CVE-2026-40225
-
udev: local root execution can occur via malicious hardware devices and unsanitized kernel output.
- CVE-2026-40226
-
nspawn: an escape-to-host action can occur via a crafted optional config file.
For Debian 10 buster, these problems have been fixed in version 241-7~deb10u12.
We recommend that you upgrade your systemd packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.