{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29111", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T21:54:06.709Z", "datePublished": "2026-03-23T21:03:56.120Z", "dateUpdated": "2026-03-23T21:03:56.120Z"}, "containers": {"cna": {"title": "systemd: Local unprivileged user can trigger an assert", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"}, {"name": "https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a"}, {"name": "https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6"}, {"name": "https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412"}, {"name": "https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd"}, {"name": "https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f"}, {"name": "https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f"}, {"name": "https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69"}, {"name": "https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6"}, {"name": "https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c"}, {"name": "https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8", "tags": ["x_refsource_MISC"], "url": "https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8"}], "affected": [{"vendor": "systemd", "product": "systemd", "versions": [{"version": ">= 239, < 257.11", "status": "affected"}, {"version": ">= 258, < 258.5", "status": "affected"}, {"version": ">= 259, < 259.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T21:03:56.120Z"}, "descriptions": [{"lang": "en", "value": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available."}], "source": {"advisory": "GHSA-gx6q-6f99-m764", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available."}], "id": "CVE-2026-29111", "lastModified": "2026-03-23T22:16:26.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T22:16:26.267", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a"}, {"source": "security-advisories@github.com", "url": "https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6"}, {"source": "security-advisories@github.com", "url": "https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412"}, {"source": "security-advisories@github.com", "url": "https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd"}, {"source": "security-advisories@github.com", "url": "https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f"}, {"source": "security-advisories@github.com", "url": "https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f"}, {"source": "security-advisories@github.com", "url": "https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69"}, {"source": "security-advisories@github.com", "url": "https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6"}, {"source": "security-advisories@github.com", "url": "https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c"}, {"source": "security-advisories@github.com", "url": "https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8"}, {"source": "security-advisories@github.com", "url": "https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data", "id": "2450505", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450505"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-1287", "details": ["A flaw was found in systemd, a system and service manager. An unprivileged user can exploit this vulnerability by making an Inter-Process Communication (IPC) API call with spurious data. In older versions (v249 and earlier), this can lead to stack overwriting with attacker-controlled content, potentially enabling arbitrary code execution or privilege escalation. In newer versions (v250 and later), the flaw causes systemd to assert and freeze, resulting in a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-29111", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rpm-ostree", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "NetworkManager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "systemd", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-23T21:03:56Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-29111\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29111\nhttps://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a\nhttps://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6\nhttps://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412\nhttps://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd\nhttps://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f\nhttps://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f\nhttps://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69\nhttps://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6\nhttps://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c\nhttps://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8\nhttps://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[239,257.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[258,258.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[259,259.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "systemd", "source": "cna", "vendor": "systemd"}, "product": "systemd", "vendor": "systemd"}], "created": "2026-03-24T10:32:42.013627+00:00", "updated": "2026-03-24T10:32:42.013726+00:00", "vendors": ["systemd", "systemd$PRODUCT$systemd"]}