Bug 2450505 (CVE-2026-29111) - CVE-2026-29111 systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data
Summary: CVE-2026-29111 systemd: systemd: Arbitrary code execution or Denial of Servic...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2026-29111
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2450655 2450656 2450658 2450659 2450657 2450660
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-23 22:02 UTC by OSIDB Bzimport
Modified: 2026-03-24 10:38 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-03-24 10:38:16 UTC
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-23 22:02:18 UTC 
systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.
Comment 2 Íñigo Huguet 2026-03-24 10:38:16 UTC 
Per the description of the vulnerability: https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764

NetworkManager is not affected, as it only takes some code from systemd for DHCPv6. This is related to the systemd's D-Bus API, for which NM shares no code at all.
Note You need to log in before you can comment on or make changes to this bug.