CVE-2026-40223
Assertion Failure in systemd Delegate=yes Units Allows Local Attack
Publication date: 2026-04-10
Last updated on: 2026-04-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| systemd_project | systemd | From 258 (inc) to 260 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-696 | The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40223 is a vulnerability in systemd versions 258 and 259 where the systemd process (PID 1) encounters an assertion failure and freezes when a system unit is configured with Delegate=yes and no User= directive set (User is unset).
A local unprivileged user can trigger this issue by making a specific IPC API call using busctl, causing systemd to hit an assert and freeze execution.
This results in a denial of service condition affecting systemd's availability.
How can this vulnerability impact me? :
The vulnerability causes systemd to freeze, resulting in a denial of service (DoS) condition.
Since systemd is a core system and service manager, its freezing can disrupt system availability and potentially impact all services managed by systemd.
The attack requires local access and has a high attack complexity, but only low privileges are needed and no user interaction is required.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system is running systemd versions 258 or 259 and if there exists any system unit configured with Delegate=yes and no User= directive set.
A local unprivileged user can trigger the vulnerability by making a specific IPC API call using the busctl command. For example, the following command can be used to test if the systemd process is vulnerable:
- busctl call org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/foo_2eservice org.freedesktop.systemd1.Service AttachProcesses "sau" "" 1 0
If executing this command causes systemd to hit an assert and freeze, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include stopping and disabling any system unit that is configured with Delegate=yes and does not have a User= directive set.
Additionally, upgrading systemd to version 260 or later, where the vulnerability is patched, is recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes a denial of service by freezing systemd, impacting system availability. However, it does not affect confidentiality or integrity of data.
Since the vulnerability does not compromise data confidentiality or integrity, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.
Nevertheless, the availability impact could indirectly affect compliance if system downtime interferes with required operational controls or service availability obligations under these regulations.