2450505 – (CVE-2026-29111) CVE-2026-29111 systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data

Bug 2450505 (CVE-2026-29111) - CVE-2026-29111 systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data

Summary: CVE-2026-29111 systemd: systemd: Arbitrary code execution or Denial of Servic...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2026-29111
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2450655 2450656 2450658 2450659 2450657 2450660
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-23 22:02 UTC by OSIDB Bzimport
Modified:	2026-05-11 01:01 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2026-03-24 10:38:16 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2026:13835	None	None	None	2026-05-05 17:25:09 UTC
Red Hat Product Errata	RHBA-2026:14134	None	None	None	2026-05-06 12:47:35 UTC
Red Hat Product Errata	RHBA-2026:14170	None	None	None	2026-05-06 17:26:36 UTC
Red Hat Product Errata	RHBA-2026:14389	None	None	None	2026-05-06 21:08:54 UTC
Red Hat Product Errata	RHBA-2026:14793	None	None	None	2026-05-07 13:00:43 UTC
Red Hat Product Errata	RHBA-2026:15886	None	None	None	2026-05-11 01:01:47 UTC
Red Hat Product Errata	RHSA-2026:13651	None	None	None	2026-05-05 09:19:05 UTC
Red Hat Product Errata	RHSA-2026:13677	None	None	None	2026-05-05 10:23:53 UTC

Description OSIDB Bzimport 2026-03-23 22:02:18 UTC

systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.

Comment 2 Íñigo Huguet 2026-03-24 10:38:16 UTC

Per the description of the vulnerability: https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764

NetworkManager is not affected, as it only takes some code from systemd for DHCPv6. This is related to the systemd's D-Bus API, for which NM shares no code at all.

Comment 3 errata-xmlrpc 2026-05-05 09:19:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:13651 https://access.redhat.com/errata/RHSA-2026:13651

Comment 4 errata-xmlrpc 2026-05-05 10:23:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:13677 https://access.redhat.com/errata/RHSA-2026:13677

Note You need to log in before you can comment on or make changes to this bug.