Systemd Project Systemd — known CVE vulnerabilities
Every CVE whose affected-product data names Systemd Project Systemd, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (55)
CVE-2022-2526 — CVSS 9.8 (critical): A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete()…
CVE-2017-1000082 — CVSS 9.8 (critical): systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with…
CVE-2015-7510 — CVSS 9.8 (critical): Stack-based buffer overflow in the getpwnam and getgrnam functions of the NSS module nss-mymachines in systemd.
CVE-2018-21029 — CVSS 9.8 (critical): systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is…
CVE-2018-15688 — CVSS 8.8 (high): A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in…
CVE-2016-10156 — CVSS 7.8 (high): A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd timers features…
CVE-2023-26604 — CVSS 7.8 (high): systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in…
CVE-2018-6954 — CVSS 7.8 (high): systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain…
CVE-2017-18078 — CVSS 7.8 (high): systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the…
CVE-2019-3843 — CVSS 7.8 (high): It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the…
CVE-2018-16864 — CVSS 7.8 (high): An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in…
CVE-2020-1712 — CVSS 7.8 (high): A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while…
CVE-2018-15686 — CVSS 7.8 (high): A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess…
CVE-2019-3844 — CVSS 7.8 (high): It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries…
CVE-2018-16865 — CVSS 7.8 (high): An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in…
CVE-2017-9217 — CVSS 7.5 (high): systemd-resolved through 233 allows remote attackers to cause a denial of service (daemon crash) via a crafted DNS response with an empty…
CVE-2013-4391 — CVSS 7.5 (high): Integer overflow in the valid_user_field function in journal/journald-native.c in systemd allows remote attackers to cause a denial of…
CVE-2017-15908 — CVSS 7.5 (high): In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in…
CVE-2017-9445 — CVSS 7.5 (high): In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A…
CVE-2018-15687 — CVSS 7.0 (high): A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary files. Affected…
CVE-2019-3842 — CVSS 7.0 (high): In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT…
CVE-2013-4327 — CVSS 6.9 (medium): systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access…
CVE-2020-13776 — CVSS 6.7 (medium): systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated…
CVE-2026-40224 — CVSS 6.7 (medium): In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace.
CVE-2026-40225 — CVSS 6.4 (medium): In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.
CVE-2026-40226 — CVSS 6.4 (medium): In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.
CVE-2012-0871 — CVSS 6.3 (medium): The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to…
CVE-2026-40227 — CVSS 6.2 (medium): In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with an array or map that has a null element.
CVE-2020-13529 — CVSS 6.1 (medium): An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running…
CVE-2013-4394 — CVSS 5.9 (medium): The SetX11Keyboard function in systemd, when PolicyKit Local Authority (PKLA) is used to change the group permissions on the X Keyboard…
CVE-2018-1049 — CVSS 5.9 (medium): In systemd prior to 234 a race condition exists between .mount and .automount units such that automount requests from kernel may not be…
CVE-2023-7008 — CVSS 5.9 (medium): A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when…
CVE-2012-1101 — CVSS 5.5 (medium): systemd 37-1 does not properly handle non-existent services, which causes a denial of service (failure of login procedure).
CVE-2019-6454 — CVSS 5.5 (medium): An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack…
CVE-2021-33910 — CVSS 5.5 (medium): basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving…
CVE-2021-3997 — CVSS 5.5 (medium): A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many…
CVE-2016-7796 — CVSS 5.5 (medium): The manager_dispatch_notify_fd function in systemd allows local users to cause a denial of service (system hang) via a zero-length message…
CVE-2022-3821 — CVSS 5.5 (medium): An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values…
CVE-2022-4415 — CVSS 5.5 (medium): A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the…
CVE-2022-45873 — CVSS 5.5 (medium): systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs…
CVE-2016-7795 — CVSS 5.5 (medium): The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure…
CVE-2026-29111 — CVSS 5.5 (medium): systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with…
CVE-2023-31438 — CVSS 5.3 (medium): An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the…
CVE-2023-31439 — CVSS 5.3 (medium): An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file…
CVE-2023-31437 — CVSS 5.3 (medium): An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log…
CVE-2013-4392 — CVSS 5.0 (medium): systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via…
CVE-2026-40223 — CVSS 4.7 (medium): In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and User=<unset> unit exists and is running.
CVE-2018-16888 — CVSS 4.7 (medium): It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run…
CVE-2025-4598 — CVSS 4.7 (medium): A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID…
CVE-2019-15718 — CVSS 4.4 (medium): In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system…
CVE-2018-20839 — CVSS 4.3 (medium): systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as…
CVE-2018-16866 — CVSS 3.3 (low): An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local…
CVE-2026-40228 — CVSS 2.9 (low): In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is…
CVE-2019-20386 — CVSS 2.4 (low): An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory…
CVE-2013-4393 — CVSS 2.1 (low): journald in systemd, when the origin of native messages is set to file, allows local users to cause a denial of service (logging service…