CVE-2026-40226
Escape-to-Host Vulnerability in systemd nspawn via Config File
Publication date: 2026-04-10
Last updated on: 2026-04-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| systemd_project | systemd | From 233 (inc) to 257.12 (exc) |
| systemd_project | systemd | From 258 (inc) to 258.6 (exc) |
| systemd_project | systemd | From 259 (inc) to 259.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-348 | The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-40226 allows an escape from a container to the host system with elevated privileges, potentially compromising the confidentiality, integrity, and availability of the host system.
Such a compromise could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality and system integrity.
However, the provided information does not explicitly mention any direct effects or assessments related to compliance with these standards.
Can you explain this vulnerability to me?
CVE-2026-40226 is a vulnerability in the systemd-nspawn package versions 233 through 259 before 260. It involves a flaw in how optional configuration files are parsed when spawning containers. Specifically, bugs related to the options PivotRoot=, BindUser=, and Ephemeral= can cause a container to be spawned on the host's root filesystem instead of inside the intended container environment.
This means that the container can escape its isolated environment and run with elevated privileges directly on the host system, which is a serious security issue.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with local high privileges to escape from a container to the host system, gaining elevated privileges on the host. This compromises the confidentiality, integrity, and availability of the host system.
- An attacker could run malicious code on the host system outside the container.
- Sensitive data on the host could be exposed or altered.
- System stability and availability could be affected due to unauthorized actions on the host.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves crafted optional .nspawn configuration files that can cause a container to escape to the host root filesystem. Detection involves checking for the presence of such .nspawn files in storage directories where systemd-nspawn loads configuration files.
Administrators should look for .nspawn files that use the vulnerable options PivotRoot=, BindUser=, or Ephemeral=, as these are related to the parsing bugs.
Suggested commands to detect potentially vulnerable configuration files include searching for .nspawn files and inspecting their contents, for example:
- find /path/to/containers -name '*.nspawn' -exec grep -E 'PivotRoot=|BindUser=|Ephemeral=' {} +
- grep -r -E 'PivotRoot=|BindUser=|Ephemeral=' /path/to/containers
Replace /path/to/containers with the actual directory where container images and their config files are stored.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing storage directories to ensure no .nspawn configuration files are present or that these files do not use the vulnerable options PivotRoot=, BindUser=, or Ephemeral=.
Upgrading systemd-nspawn to a patched version is recommended. Patched versions include systemd-nspawn 260, 259.4, 258.6, and 257.12.
Until an upgrade can be performed, administrators should carefully audit and remove or modify any .nspawn files that might exploit this vulnerability.