Vendor
Systemd Project
Products
1
CVEs
21
Across products
72
Status
Private
Products
1- 72 CVEs
Recent CVEs
21| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2015-7510 | Cri | 0.64 | 9.8 | 0.01 | Sep 25, 2017 | Stack-based buffer overflow in the getpwnam and getgrnam functions of the NSS module nss-mymachines in systemd. | |
| CVE-2017-1000082 | Cri | 0.64 | 9.8 | 0.00 | Jul 7, 2017 | systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended. | |
| CVE-2016-10156 | Hig | 0.54 | 7.8 | 0.01 | Jan 23, 2017 | A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd timers features, allowing local attackers to escalate their privileges to root. This is fixed in v229. | |
| CVE-2017-15908 | Hig | 0.49 | 7.5 | 0.00 | Oct 26, 2017 | In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in the dns_packet_read_type_window() function of the 'systemd-resolved' service and cause a DoS of the affected service. | |
| CVE-2017-9445 | Hig | 0.49 | 7.5 | 0.01 | Jun 28, 2017 | In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it. | |
| CVE-2017-9217 | Hig | 0.49 | 7.5 | 0.01 | May 24, 2017 | systemd-resolved through 233 allows remote attackers to cause a denial of service (daemon crash) via a crafted DNS response with an empty question section. | |
| CVE-2026-40224 | Med | 0.44 | 6.7 | 0.00 | Apr 10, 2026 | In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace. | |
| CVE-2026-40226 | Med | 0.42 | 6.4 | 0.00 | Apr 10, 2026 | In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file. | |
| CVE-2026-40225 | Med | 0.42 | 6.4 | 0.00 | Apr 10, 2026 | In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output. | |
| CVE-2026-40227 | Med | 0.40 | 6.2 | 0.00 | Apr 10, 2026 | In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with an array or map that has a null element. | |
| CVE-2016-7796 | Med | 0.36 | 5.5 | 0.00 | Oct 13, 2016 | The manager_dispatch_notify_fd function in systemd allows local users to cause a denial of service (system hang) via a zero-length message received over a notify socket, which causes an error to be returned and the notification handler to be disabled. | |
| CVE-2016-7795 | Med | 0.36 | 5.5 | 0.00 | Oct 13, 2016 | The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a notify socket. | |
| CVE-2013-4392 | Med | 0.33 | 5.0 | 0.00 | Oct 28, 2013 | systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. | |
| CVE-2026-40223 | Med | 0.31 | 4.7 | 0.00 | Apr 10, 2026 | In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and User=<unset> unit exists and is running. | |
| CVE-2026-29111 | Med | 0.29 | 5.5 | 0.00 | Mar 23, 2026 | systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available. | |
| CVE-2026-40228 | Low | 0.19 | 2.9 | 0.00 | Apr 10, 2026 | In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set. | |
| CVE-2012-0871 | 0.00 | — | 0.00 | Apr 18, 2014 | The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/. | ||
| CVE-2013-4394 | 0.00 | — | 0.00 | Oct 28, 2013 | The SetX11Keyboard function in systemd, when PolicyKit Local Authority (PKLA) is used to change the group permissions on the X Keyboard Extension (XKB) layouts description, allows local users in the group to modify the Xorg X11 Server configuration file and possibly gain privileges via vectors involving "special and control characters." | ||
| CVE-2013-4393 | 0.00 | — | 0.00 | Oct 28, 2013 | journald in systemd, when the origin of native messages is set to file, allows local users to cause a denial of service (logging service blocking) via a crafted file descriptor. | ||
| CVE-2013-4391 | 0.00 | — | 0.04 | Oct 28, 2013 | Integer overflow in the valid_user_field function in journal/journald-native.c in systemd allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large journal data field, which triggers a heap-based buffer overflow. |