rpm package
opensuse/polkit&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/polkit&distro=openSUSE%20Tumbleweed
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-4897 | Med | 5.5 | < 127-3.1 | 127-3.1 | Mar 26, 2026 | A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of | |
| CVE-2025-7519 | — | < 127-3.1 | 127-3.1 | Jul 14, 2025 | A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-pr | ||
| CVE-2021-4115 | — | < 0.120-3.1 | 0.120-3.1 | Feb 21, 2022 | There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion. The highest threat from this vulnerability is to availability. NOTE: Polkit process outage duration is tied to the failing process being reaped and | ||
| CVE-2021-3560 | — | KEV | < 0.118-7.2 | 0.118-7.2 | Feb 16, 2022 | It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest | |
| CVE-2021-4034 | — | KEV | < 0.120-2.1 | 0.120-2.1 | Jan 28, 2022 | A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the callin | |
| CVE-2019-6133 | — | < 0.118-7.2 | 0.118-7.2 | Jan 11, 2019 | In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c. | ||
| CVE-2018-19788 | — | < 0.118-7.2 | 0.118-7.2 | Dec 3, 2018 | A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command. | ||
| CVE-2018-1116 | — | < 0.118-7.2 | 0.118-7.2 | Jul 10, 2018 | A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a l |
- affected < 127-3.1fixed 127-3.1
A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of
- CVE-2025-7519Jul 14, 2025affected < 127-3.1fixed 127-3.1
A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-pr
- CVE-2021-4115Feb 21, 2022affected < 0.120-3.1fixed 0.120-3.1
There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion. The highest threat from this vulnerability is to availability. NOTE: Polkit process outage duration is tied to the failing process being reaped and
- affected < 0.118-7.2fixed 0.118-7.2
It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest
- affected < 0.120-2.1fixed 0.120-2.1
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the callin
- CVE-2019-6133Jan 11, 2019affected < 0.118-7.2fixed 0.118-7.2
In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c.
- CVE-2018-19788Dec 3, 2018affected < 0.118-7.2fixed 0.118-7.2
A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.
- CVE-2018-1116Jul 10, 2018affected < 0.118-7.2fixed 0.118-7.2
A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a l