CVE-2026-40223
Received Received - Intake

Assertion Failure in systemd Delegate=yes Units Allows Local Attack

Vulnerability report for CVE-2026-40223, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-10

Last updated on: 2026-04-27

Assigner: MITRE

Description

In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and User=<unset> unit exists and is running.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-10
Last Modified
2026-04-27
Generated
2026-07-06
AI Q&A
2026-04-10
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
systemd_project systemd From 258 (inc) to 260 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-696 The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-40223 is a vulnerability in systemd versions 258 and 259 where the systemd process (PID 1) encounters an assertion failure and freezes when a system unit is configured with Delegate=yes and no User= directive set (User is unset).

A local unprivileged user can trigger this issue by making a specific IPC API call using busctl, causing systemd to hit an assert and freeze execution.

This results in a denial of service condition affecting systemd's availability.

Compliance Impact

The vulnerability causes a denial of service by freezing systemd, impacting system availability. However, it does not affect confidentiality or integrity of data.

Since the vulnerability does not compromise data confidentiality or integrity, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.

Nevertheless, the availability impact could indirectly affect compliance if system downtime interferes with required operational controls or service availability obligations under these regulations.

Impact Analysis

The vulnerability causes systemd to freeze, resulting in a denial of service (DoS) condition.

Since systemd is a core system and service manager, its freezing can disrupt system availability and potentially impact all services managed by systemd.

The attack requires local access and has a high attack complexity, but only low privileges are needed and no user interaction is required.

Detection Guidance

This vulnerability can be detected by checking if your system is running systemd versions 258 or 259 and if there exists any system unit configured with Delegate=yes and no User= directive set.

A local unprivileged user can trigger the vulnerability by making a specific IPC API call using the busctl command. For example, the following command can be used to test if the systemd process is vulnerable:

  • busctl call org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/foo_2eservice org.freedesktop.systemd1.Service AttachProcesses "sau" "" 1 0

If executing this command causes systemd to hit an assert and freeze, the system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include stopping and disabling any system unit that is configured with Delegate=yes and does not have a User= directive set.

Additionally, upgrading systemd to version 260 or later, where the vulnerability is patched, is recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart