Executive Summary

CVE-2026-40226 is a vulnerability in the systemd-nspawn package versions 233 through 259 before 260. It involves a flaw in how optional configuration files are parsed when spawning containers. Specifically, bugs related to the options PivotRoot=, BindUser=, and Ephemeral= can cause a container to be spawned on the host's root filesystem instead of inside the intended container environment.

This means that the container can escape its isolated environment and run with elevated privileges directly on the host system, which is a serious security issue.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with local high privileges to escape from a container to the host system, gaining elevated privileges on the host. This compromises the confidentiality, integrity, and availability of the host system.

• An attacker could run malicious code on the host system outside the container.
• Sensitive data on the host could be exposed or altered.
• System stability and availability could be affected due to unauthorized actions on the host.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves crafted optional .nspawn configuration files that can cause a container to escape to the host root filesystem. Detection involves checking for the presence of such .nspawn files in storage directories where systemd-nspawn loads configuration files.

Administrators should look for .nspawn files that use the vulnerable options PivotRoot=, BindUser=, or Ephemeral=, as these are related to the parsing bugs.

Suggested commands to detect potentially vulnerable configuration files include searching for .nspawn files and inspecting their contents, for example:

• find /path/to/containers -name '*.nspawn' -exec grep -E 'PivotRoot=|BindUser=|Ephemeral=' {} +
• grep -r -E 'PivotRoot=|BindUser=|Ephemeral=' /path/to/containers

Replace /path/to/containers with the actual directory where container images and their config files are stored.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include sanitizing storage directories to ensure no .nspawn configuration files are present or that these files do not use the vulnerable options PivotRoot=, BindUser=, or Ephemeral=.

Upgrading systemd-nspawn to a patched version is recommended. Patched versions include systemd-nspawn 260, 259.4, 258.6, and 257.12.

Until an upgrade can be performed, administrators should carefully audit and remove or modify any .nspawn files that might exploit this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability CVE-2026-40226 allows an escape from a container to the host system with elevated privileges, potentially compromising the confidentiality, integrity, and availability of the host system.

Such a compromise could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality and system integrity.

However, the provided information does not explicitly mention any direct effects or assessments related to compliance with these standards.

Useful 0 Not Useful 0