CVE-2026-40226 - Vulnerability Details

- systemd: systemd nspawn: Escape-to-host action via crafted config file

Description

In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.

Published: 2026-04-10

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A crafted optional configuration file can trigger an escape-to-host action in the nspawn component of systemd versions 233 to 259. The vulnerability permits an attacker to break out of the isolated container and gain elevated privileges on the host. The weakness is identified as CWE‑348, indicating a privilege‑escalation flaw. The impact is that an attacker who can supply a malicious config file could execute arbitrary commands with elevated rights, potentially compromising confidentiality, integrity, and availability of the host system.

Affected Systems

Affected systems are those running systemd versions 233 through 259 inclusive. This includes many Linux distributions that ship with these releases, and the nspawn service on those systems is vulnerable. Without more granular version data, any system within that range is at risk until it is upgraded.

Risk and Exploitability

The CVSS base score of 6.4 denotes a moderate severity. No EPSS score is available, so the exact likelihood of exploitation is uncertain. The vulnerability is not listed in CISA's KEV catalog, yet it remains present in widely deployed systemd releases. The likely attack vector is a local or authenticated user who can create or modify optional configuration files read by nspawn; exploitation requires only the ability to supply a crafted file, which in turn can trigger the escape-to-host action and execute arbitrary shell commands on the host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

systemd

unaffected

Version	Status	Constraints
`233`	affected	< 260

Configuration 1 [-]

OR	cpe:2.3:a:systemd_project:systemd::::::::
	cpe:2.3:a:systemd_project:systemd::::::::
	cpe:2.3:a:systemd_project:systemd::::::::

No data.

Vendor Product Confidence Versions

Systemd

100%

Version	Status	Scheme	Platform
`[233,260)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a systemd update to version 260 or later, which removes the vulnerable escape-to-host path.
If a patch cannot be applied immediately, prevent attackers from creating or modifying optional configuration files used by nspawn, such as removing them or tightening permissions.

Generated by OpenCVE AI on April 10, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4533-1	systemd security update

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00009.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx
https://nvd.nist.gov/vuln/detail/CVE-2026-40226
https://www.cve.org/CVERecord?id=CVE-2026-40226

History

Fri, 17 Apr 2026 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Systemd Project Systemd Project systemd
CPEs		cpe:2.3:a:systemd_project:systemd::::::::
Vendors & Products		Systemd Project Systemd Project systemd

Tue, 14 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 14 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title	systemd nspawn Escape-to-Host Vulnerability via Optional Config	systemd: systemd nspawn: Escape-to-host action via crafted config file
References		https://nvd.nist.gov/vuln/detail/CVE-2026-40226 https://www.cve.org/CVERecord?id=CVE-2026-40226
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 13 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Title		systemd nspawn Escape-to-Host Vulnerability via Optional Config

Mon, 13 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Systemd Systemd systemd
Vendors & Products		Systemd Systemd systemd

Fri, 10 Apr 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.
Weaknesses		CWE-348
References		https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Systemd Systemd

Systemd Project Systemd

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-10T15:18:10.447Z

Updated: 2026-04-14T14:48:20.451Z

Reserved: 2026-04-10T15:18:10.040Z

Link: CVE-2026-40226

Vulnrichment

Updated: 2026-04-14T14:48:02.999Z

NVD

Status : Analyzed

Published: 2026-04-10T16:16:33.447

Modified: 2026-04-17T22:02:15.393

Link: CVE-2026-40226

Redhat

Severity : Moderate

Publid Date: 2026-04-10T15:18:10Z

Links: CVE-2026-40226 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-13T13:01:19Z

Weaknesses

CWE-348

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object