{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-40228", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-10T15:48:43.773Z", "datePublished": "2026-04-10T15:48:44.215Z", "dateUpdated": "2026-05-05T01:34:55.360Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "systemd", "vendor": "systemd", "versions": [{"status": "affected", "version": "259", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-669", "description": "CWE-669 Incorrect Resource Transfer Between Spheres", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T16:07:32.728Z"}, "references": [{"url": "https://www.openwall.com/lists/oss-security/2026/04/08/1"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T17:26:54.371080Z", "id": "CVE-2026-40228", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T17:27:22.882Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/05/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-05T01:34:55.360Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/05/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-05T01:34:55.360Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40228", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T17:26:54.371080Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T17:27:12.048Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.9, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "systemd", "product": "systemd", "versions": [{"status": "affected", "version": "259", "versionType": "custom"}], "defaultStatus": "unknown"}], "references": [{"url": "https://www.openwall.com/lists/oss-security/2026/04/08/1"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-669", "description": "CWE-669 Incorrect Resource Transfer Between Spheres"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T16:07:32.728Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40228", "state": "PUBLISHED", "dateUpdated": "2026-05-05T01:34:55.360Z", "dateReserved": "2026-04-10T15:48:43.773Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-10T15:48:44.215Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:systemd_project:systemd:259:-:*:*:*:*:*:*", "matchCriteriaId": "6D85A795-8EF7-4636-B021-3B1504C45503", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set."}], "id": "CVE-2026-40228", "lastModified": "2026-05-05T02:16:04.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-10T16:16:33.753", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2026/04/08/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/05/05/1"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-669"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "systemd: systemd-journald: Unintended output to user terminals via logger command", "id": "2457316", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457316"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.9", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-117", "details": ["A flaw was found in systemd-journald. When the `ForwardToWall=yes` configuration is enabled, a local user who executes a `logger -p emerg` command can cause systemd-journald to send ANSI escape sequences to the terminals of other arbitrary users. This can lead to unintended output appearing on user terminals, potentially causing confusion or minor disruption."], "name": "CVE-2026-40228", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rpm-ostree", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "NetworkManager", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "NetworkManager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "systemd", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-10T15:48:44Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40228\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40228\nhttps://www.openwall.com/lists/oss-security/2026/04/08/1"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "259"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "systemd", "source": "cna", "vendor": "systemd"}, "product": "systemd", "vendor": "systemd"}], "analysis": {"en": {"generated_at": "2026-04-13T13:50:46.615330+00:00", "value": {"mitigation_remediation": ["Update systemd to a version that incorporates the fix", "Edit /etc/systemd/journald.conf to set ForwardToWall=no and restart systemd-journald if a patch is not yet available", "Verify that non\u2011privileged users cannot execute the \"logger -p emerg\" command on the system"], "summary": {"action": "Apply patch", "impact": "Terminal output injection"}, "threat_synthesis": {"affected_systems": "The flaw affects machines running systemd version 259 when the journald configuration has ForwardToWall set to yes. Any system with that version and forwarding enabled is susceptible; the problem is tied to systemd itself rather than any specific application.", "description_and_impact": "An unexpected behavior in systemd-journald allows ANSI escape sequences to be sent directly to the terminals of any logged\u2011in user when the \"logger -p emerg\" command is executed, provided the ForwardToWall option is enabled. This does not provide code execution but can modify terminal appearance or behavior through illicit escape codes, reflecting weaknesses in input sanitization (CWE-117) and misuse of terminal control (CWE-669).", "risk_and_exploitability": "The CVSS score of 2.9 labels this vulnerability as low severity and an EPSS score below 1% suggests a very small likelihood of exploitation in the wild. It is not listed in CISA\u2019s KEV catalog. The likely attack vector requires the attacker to invoke \u2018logger -p emerg\u2019, which may be restricted to user or privileged contexts; this condition is inferred from the description. Consequently the risk surface is limited to local or locally privileged users on systems with ForwardToWall enabled, though the impact on user experience could be noticeable."}}}}, "created": "2026-04-13T12:44:37.054503+00:00", "updated": "2026-04-13T14:27:06.545450+00:00", "vendors": ["systemd", "systemd$PRODUCT$systemd"]}