{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29111", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T21:54:06.709Z", "datePublished": "2026-03-23T21:03:56.120Z", "dateUpdated": "2026-03-25T19:13:11.875Z"}, "containers": {"cna": {"title": "systemd: Local unprivileged user can trigger an assert", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"}, {"name": "https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a"}, {"name": "https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6"}, {"name": "https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412"}, {"name": "https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd"}, {"name": "https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f"}, {"name": "https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f"}, {"name": "https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69"}, {"name": "https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6"}, {"name": "https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c"}, {"name": "https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8"}], "affected": [{"vendor": "systemd", "product": "systemd", "versions": [{"version": ">= 239, < 257.11", "status": "affected"}, {"version": ">= 258, < 258.5", "status": "affected"}, {"version": ">= 259, < 259.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T21:03:56.120Z"}, "descriptions": [{"lang": "en", "value": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available."}], "source": {"advisory": "GHSA-gx6q-6f99-m764", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:12:36.640498Z", "id": "CVE-2026-29111", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:13:11.875Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29111", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T19:12:36.640498Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:13:03.941Z"}}], "cna": {"title": "systemd: Local unprivileged user can trigger an assert", "source": {"advisory": "GHSA-gx6q-6f99-m764", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "systemd", "product": "systemd", "versions": [{"status": "affected", "version": ">= 239, < 257.11"}, {"status": "affected", "version": ">= 258, < 258.5"}, {"status": "affected", "version": ">= 259, < 259.2"}]}], "references": [{"url": "https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764", "name": "https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a", "name": "https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6", "name": "https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412", "name": "https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd", "name": "https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f", "name": "https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f", "name": "https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69", "name": "https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6", "name": "https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c", "name": "https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8", "name": "https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T21:03:56.120Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29111", "state": "PUBLISHED", "dateUpdated": "2026-03-25T19:13:11.875Z", "dateReserved": "2026-03-03T21:54:06.709Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T21:03:56.120Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B7440B3-21E0-4CE7-B414-B468DF589EB2", "versionEndExcluding": "257.11", "versionStartIncluding": "239", "vulnerable": true}, {"criteria": "cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*", "matchCriteriaId": "17A98BF3-E6DB-4C8F-8D17-858CB679884E", "versionEndExcluding": "258.5", "versionStartIncluding": "258", "vulnerable": true}, {"criteria": "cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE1B8AFB-01F5-4B3F-BB53-DCAE57F2C2A2", "versionEndExcluding": "259.2", "versionStartIncluding": "259", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available."}, {"lang": "es", "value": "systemd, un gestor de sistemas y servicios, (como PID 1) activa una aserci\u00f3n y congela la ejecuci\u00f3n cuando se realiza una llamada a la API IPC no privilegiada con datos espurios. En la versi\u00f3n v249 y anteriores, el efecto no es una aserci\u00f3n, sino una sobrescritura de pila, con contenido controlado por el atacante. A partir de la versi\u00f3n v250 y posteriores, esto no es posible ya que la comprobaci\u00f3n de seguridad provoca una aserci\u00f3n en su lugar. Esta llamada IPC se a\u00f1adi\u00f3 en v239, por lo que las versiones anteriores a esa no est\u00e1n afectadas. Las versiones 260-rc1, 259.2, 258.5 y 257.11 contienen parches. No se conocen soluciones alternativas disponibles."}], "id": "CVE-2026-29111", "lastModified": "2026-04-15T16:44:38.387", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T22:16:26.267", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data", "id": "2450505", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450505"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-1287", "details": ["A flaw was found in systemd, a system and service manager. An unprivileged user can exploit this vulnerability by making an Inter-Process Communication (IPC) API call with spurious data. In older versions (v249 and earlier), this can lead to stack overwriting with attacker-controlled content, potentially enabling arbitrary code execution or privilege escalation. In newer versions (v250 and later), the flaw causes systemd to assert and freeze, resulting in a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-29111", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rpm-ostree", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "NetworkManager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "systemd", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-23T21:03:56Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-29111\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29111\nhttps://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a\nhttps://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6\nhttps://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412\nhttps://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd\nhttps://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f\nhttps://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f\nhttps://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69\nhttps://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6\nhttps://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c\nhttps://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8\nhttps://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[239,257.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[258,258.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[259,259.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "systemd", "source": "cna", "vendor": "systemd"}, "product": "systemd", "vendor": "systemd"}], "analysis": {"en": {"generated_at": "2026-04-15T22:38:16.441850+00:00", "value": {"mitigation_remediation": ["Upgrade systemd to version 250 or newer, or apply any distribution\u2011specific patch updates that contain the fix.", "Restart affected services or run systemctl daemon-reload to ensure the updated unit files are loaded.", "Reboot the host so the new PID\u00a01 process starts with the corrected IPC logic."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service with potential code execution"}, "threat_synthesis": {"affected_systems": "Affected installations are those running systemd version 239 through 249 that have not applied the later safety check. From version v250 onward the unsafe path has been replaced by a failsafe assert, preventing the overwrite. The patch set is present in releases 260\u2011rc1, 259.2, 258.5, and 257.11. Systems that use older or maintenance\u2011branch versions of systemd remain susceptible, and because systemd typically runs as PID 1 the fault directly impacts the host's core services.", "description_and_impact": "The vulnerability occurs in systemd, the system and service manager used as the init process on Linux hosts. An unprivileged user can trigger a defensive assert, or on older releases (v249 and earlier) a stack overwrite, by making a special IPC API call with malformed data. The assert causes the process to freeze, creating a denial\u2011of\u2011service condition. In the vulnerable older versions the memory corruption could allow an attacker to execute arbitrary code, provided a suitable exploitation path can be constructed. The weakness is classified as CWE\u20111287 (Incorrect Processing of Dangling Users Input) and CWE\u2011269 (Improper System Permissions for a Resource).", "risk_and_exploitability": "The CVSS score for this issue is 5.5, indicating medium severity. The EPSS score is less than 1%, indicating a low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog, so no widespread active exploitation has been reported. An adversary could cause service interruption or, in the case of legacy releases, potentially gain unprivileged code execution through stack corruption."}}}}, "created": "2026-03-24T10:32:42.013627+00:00", "updated": "2026-04-15T22:45:16.438997+00:00", "vendors": ["systemd", "systemd$PRODUCT$systemd"]}