{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-40224", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-10T15:14:21.394Z", "datePublished": "2026-04-10T15:14:21.904Z", "dateUpdated": "2026-04-10T18:13:05.818Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "systemd", "vendor": "systemd", "versions": [{"lessThan": "260", "status": "affected", "version": "259", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T15:33:17.159Z"}, "references": [{"url": "https://github.com/systemd/systemd/security/advisories/GHSA-6pwp-j5vg-5j6m"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T18:12:38.526078Z", "id": "CVE-2026-40224", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:13:05.818Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40224", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-10T18:12:38.526078Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:13:00.863Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "systemd", "product": "systemd", "versions": [{"status": "affected", "version": "259", "lessThan": "260", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/systemd/systemd/security/advisories/GHSA-6pwp-j5vg-5j6m"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T15:33:17.159Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40224", "state": "PUBLISHED", "dateUpdated": "2026-04-10T18:13:05.818Z", "dateReserved": "2026-04-10T15:14:21.394Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-10T15:14:21.904Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B8BB85D-C368-4D62-9492-83E66C2F1450", "versionEndExcluding": "259.3", "versionStartIncluding": "259", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace."}], "id": "CVE-2026-40224", "lastModified": "2026-04-27T19:08:24.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-10T16:16:33.113", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://github.com/systemd/systemd/security/advisories/GHSA-6pwp-j5vg-5j6m"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "systemd: systemd-machined: Local privilege escalation via varlink", "id": "2457325", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457325"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-266", "details": ["A flaw was found in systemd-machined, a component of systemd. A local attacker can exploit a vulnerability related to how varlink interacts with the root namespace. This can lead to local privilege escalation, allowing the attacker to gain elevated access on the system."], "name": "CVE-2026-40224", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rpm-ostree", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "NetworkManager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-10T15:14:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40224\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40224\nhttps://github.com/systemd/systemd/security/advisories/GHSA-6pwp-j5vg-5j6m"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[259,260)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "systemd", "source": "cna", "vendor": "systemd"}, "product": "systemd", "vendor": "systemd"}], "analysis": {"en": {"generated_at": "2026-04-14T02:07:29.164601+00:00", "value": {"mitigation_remediation": ["Update systemd to version\u202f260 or later to eliminate the vulnerability."], "summary": {"action": "Apply Patch", "impact": "Local privilege escalation"}, "threat_synthesis": {"affected_systems": "The affected vendor is systemd, product systemd. Versions affected are 259 or earlier, prior to the 260 release.", "description_and_impact": "The vulnerability is a local privilege escalation in systemd versions 259 and earlier, caused by the varlink interface in systemd-machined that allows access to the root namespace. The weakness is an improper use of authorization mechanisms (CWE-863) combined with insufficient privilege management (CWE-266). An attacker with local access can direct the systemd-machined service to perform privileged operations, potentially altering system configuration or accessing sensitive data.", "risk_and_exploitability": "The CVSS score of 6.7 indicates a medium\u2011high severity, while the EPSS score of less than 1\u202f% suggests a low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog, and it requires local access; therefore an attacker must already have some foothold on the machine to exploit it. Though the likelihood of exploitation in the wild may be low, the potential impact of privilege escalation warrants timely remediation."}}}}, "created": "2026-04-13T12:44:49.989401+00:00", "updated": "2026-04-14T16:36:30.211692+00:00", "vendors": ["systemd", "systemd$PRODUCT$systemd"]}