| Package | systemd |
|---|---|
| Version | 232-25+deb9u18 (stretch) |
| Related CVEs | CVE-2026-4105 CVE-2026-40225 |
The following vulnerabilities have been discovered systemd:
- CVE-2026-4105
-
The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.
- CVE-2026-40225
-
udev: local root execution can occur via malicious hardware devices and unsanitized kernel output.
For Debian 9 stretch, these problems have been fixed in version 232-25+deb9u18.
We recommend that you upgrade your systemd packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.