{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-40226", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-10T15:18:10.040Z", "datePublished": "2026-04-10T15:18:10.447Z", "dateUpdated": "2026-04-14T14:48:20.451Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "systemd", "vendor": "systemd", "versions": [{"lessThan": "260", "status": "affected", "version": "233", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-348", "description": "CWE-348 Use of Less Trusted Source", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T15:34:22.039Z"}, "references": [{"url": "https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:47:51.552925Z", "id": "CVE-2026-40226", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:48:20.451Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40226", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T14:47:51.552925Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:48:02.999Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "systemd", "product": "systemd", "versions": [{"status": "affected", "version": "233", "lessThan": "260", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-348", "description": "CWE-348 Use of Less Trusted Source"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T15:34:22.039Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40226", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:48:20.451Z", "dateReserved": "2026-04-10T15:18:10.040Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-10T15:18:10.447Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*", "matchCriteriaId": "29AAD5A6-4198-4D58-9FBB-FE35AFADA909", "versionEndExcluding": "257.12", "versionStartIncluding": "233", "vulnerable": true}, {"criteria": "cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDEB656F-DF55-418A-A250-E414B7DFF975", "versionEndExcluding": "258.6", "versionStartIncluding": "258", "vulnerable": true}, {"criteria": "cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D35ABE2-6825-4820-96FA-37601DA85848", "versionEndExcluding": "259.4", "versionStartIncluding": "259", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file."}], "id": "CVE-2026-40226", "lastModified": "2026-04-17T22:02:15.393", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-10T16:16:33.447", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-348"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "systemd: systemd nspawn: Escape-to-host action via crafted config file", "id": "2457326", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457326"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-348", "details": ["A flaw was found in nspawn, a container runtime environment within systemd. A local attacker or a process within an nspawn container could exploit this vulnerability by using a specially crafted optional configuration file. This could allow the attacker to escape the container's isolation and execute arbitrary actions on the host system."], "name": "CVE-2026-40226", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rpm-ostree", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "NetworkManager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-10T15:18:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40226\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40226\nhttps://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[233,260)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "systemd", "source": "cna", "vendor": "systemd"}, "product": "systemd", "vendor": "systemd"}], "analysis": {"en": {"generated_at": "2026-04-10T16:50:17.848015+00:00", "value": {"mitigation_remediation": ["Apply a systemd update to version 260 or later, which removes the vulnerable escape-to-host path.", "If a patch cannot be applied immediately, prevent attackers from creating or modifying optional configuration files used by nspawn, such as removing them or tightening permissions."], "summary": {"action": "Upgrade", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Affected systems are those running systemd versions 233 through 259 inclusive. This includes many Linux distributions that ship with these releases, and the nspawn service on those systems is vulnerable. Without more granular version data, any system within that range is at risk until it is upgraded.", "description_and_impact": "A crafted optional configuration file can trigger an escape-to-host action in the nspawn component of systemd versions 233 to 259. The vulnerability permits an attacker to break out of the isolated container and gain elevated privileges on the host. The weakness is identified as CWE\u2011348, indicating a privilege\u2011escalation flaw. The impact is that an attacker who can supply a malicious config file could execute arbitrary commands with elevated rights, potentially compromising confidentiality, integrity, and availability of the host system.", "risk_and_exploitability": "The CVSS base score of 6.4 denotes a moderate severity. No EPSS score is available, so the exact likelihood of exploitation is uncertain. The vulnerability is not listed in CISA's KEV catalog, yet it remains present in widely deployed systemd releases. The likely attack vector is a local or authenticated user who can create or modify optional configuration files read by nspawn; exploitation requires only the ability to supply a crafted file, which in turn can trigger the escape-to-host action and execute arbitrary shell commands on the host."}}}}, "created": "2026-04-13T12:44:47.962882+00:00", "title": "systemd nspawn Escape-to-Host Vulnerability via Optional Config", "updated": "2026-04-13T13:01:19.079840+00:00", "vendors": ["systemd", "systemd$PRODUCT$systemd"]}