CVE-2026-40223
Received Received - Intake
Assertion Failure in systemd Delegate=yes Units Allows Local Attack

Publication date: 2026-04-10

Last updated on: 2026-04-27

Assigner: MITRE

Description
In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and User=<unset> unit exists and is running.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40223
EUVD
EUVD-2026-21394
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
systemd_project systemd From 258 (inc) to 260 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-696 The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40223 is a vulnerability in systemd versions 258 and 259 where the systemd process (PID 1) encounters an assertion failure and freezes when a system unit is configured with Delegate=yes and no User= directive set (User is unset).

A local unprivileged user can trigger this issue by making a specific IPC API call using busctl, causing systemd to hit an assert and freeze execution.

This results in a denial of service condition affecting systemd's availability.

Impact Analysis

The vulnerability causes systemd to freeze, resulting in a denial of service (DoS) condition.

Since systemd is a core system and service manager, its freezing can disrupt system availability and potentially impact all services managed by systemd.

The attack requires local access and has a high attack complexity, but only low privileges are needed and no user interaction is required.

Detection Guidance

This vulnerability can be detected by checking if your system is running systemd versions 258 or 259 and if there exists any system unit configured with Delegate=yes and no User= directive set.

A local unprivileged user can trigger the vulnerability by making a specific IPC API call using the busctl command. For example, the following command can be used to test if the systemd process is vulnerable:

  • busctl call org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/foo_2eservice org.freedesktop.systemd1.Service AttachProcesses "sau" "" 1 0

If executing this command causes systemd to hit an assert and freeze, the system is vulnerable.

Compliance Impact

The vulnerability causes a denial of service by freezing systemd, impacting system availability. However, it does not affect confidentiality or integrity of data.

Since the vulnerability does not compromise data confidentiality or integrity, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.

Nevertheless, the availability impact could indirectly affect compliance if system downtime interferes with required operational controls or service availability obligations under these regulations.

Mitigation Strategies

Immediate mitigation steps include stopping and disabling any system unit that is configured with Delegate=yes and does not have a User= directive set.

Additionally, upgrading systemd to version 260 or later, where the vulnerability is patched, is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart