Description
systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.
Published: 2026-03-23
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service with potential code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs in systemd, the system and service manager used as the init process on Linux hosts. An unprivileged user can trigger a defensive assert, or on older releases (v249 and earlier) a stack overwrite, by making a special IPC API call with malformed data. The assert causes the process to freeze, creating a denial‑of‑service condition. In the vulnerable older versions the memory corruption could allow an attacker to execute arbitrary code, provided a suitable exploitation path can be constructed. The weakness is classified as CWE‑1287 (Incorrect Processing of Dangling Users Input) and CWE‑269 (Improper System Permissions for a Resource).

Affected Systems

Affected installations are those running systemd version 239 through 249 that have not applied the later safety check. From version v250 onward the unsafe path has been replaced by a failsafe assert, preventing the overwrite. The patch set is present in releases 260‑rc1, 259.2, 258.5, and 257.11. Systems that use older or maintenance‑branch versions of systemd remain susceptible, and because systemd typically runs as PID 1 the fault directly impacts the host's core services.

Risk and Exploitability

The CVSS score for this issue is 5.5, indicating medium severity. The EPSS score is less than 1%, indicating a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, so no widespread active exploitation has been reported. An adversary could cause service interruption or, in the case of legacy releases, potentially gain unprivileged code execution through stack corruption.

Generated by OpenCVE AI on April 15, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade systemd to version 250 or newer, or apply any distribution‑specific patch updates that contain the fix.
  • Restart affected services or run systemctl daemon-reload to ensure the updated unit files are loaded.
  • Reboot the host so the new PID 1 process starts with the corrected IPC logic.

Generated by OpenCVE AI on April 15, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4533-1 systemd security update
History

Wed, 15 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Systemd Project
Systemd Project systemd
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*
Vendors & Products Systemd Project
Systemd Project systemd

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1287
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Systemd
Systemd systemd
Vendors & Products Systemd
Systemd systemd

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.
Title systemd: Local unprivileged user can trigger an assert
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Systemd Systemd
Systemd Project Systemd
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T19:13:11.875Z

Reserved: 2026-03-03T21:54:06.709Z

Link: CVE-2026-29111

cve-icon Vulnrichment

Updated: 2026-03-25T19:13:03.941Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T22:16:26.267

Modified: 2026-04-15T16:44:38.387

Link: CVE-2026-29111

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-23T21:03:56Z

Links: CVE-2026-29111 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:45:16Z

Weaknesses