CVE-2021-4034

Exp

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Published: 2022-01-28 Last update: 2025-11-06 Assigner: [email protected] Source: [email protected]
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2021-4034 is rated Critical Active Threat (90.8/100): CVSS High severity, with high exploitation likelihood (EPSS 88.06%, 100th percentile). CISA KEV confirms active exploitation (added 2022-06-27) affecting Red Hat / Polkit. a weakness (CWE-125) Unauthenticated remote administrative access may be possible. The CISA remediation deadline has passed—treat as an emergency patch priority.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

CISA KEV Record for CVE-2021-4034

Name: Red Hat Polkit Out-of-Bounds Read and Write Vulnerability · CISA KEV detail

Exploit added: 2022-06-27

Action due: 2022-07-18

Required action: Apply updates per vendor instructions.

Public exploit references (Exploit-DB) for CVE-2021-4034

EDB-ID Source Kind Published Link
50689 exploit_db edb 2022-01-27 Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2021-4034

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-05-28 88.32% 88.06% -0.26%
2 2026-05-27 88.81% 88.32% -0.49%
3 2026-05-23 88.81%

Full EPSS history (121 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2021-4034

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.8 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 5.9 [email protected]
7.8 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 5.9 134c704f-9b21-4f2e-91b3-4a467353bcc0
7.2 2.0 HIGH
AV:L/AC:L/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:L)
Requires local access to the target system.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 3.9 10.0 [email protected]

Weakness enumeration for CVE-2021-4034

OS Trackers for CVE-2021-4034

vendor priority summary link
alpine CVE-2021-4034: 1 source package rows (polkit); 31 state rows across 9 repos (3.12-main, 3.17-community, 3.18-community, 3.19-community, 3.20-community, 3.21-community, 3.22-community, 3.23-community, edge-community); fixed 28, open 3. https://security.alpinelinux.org/vuln/CVE-2021-4034
debian not yet assigned CVE-2021-4034 not yet assigned priority: Debian including 1 source packages (policykit-1), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2021-4034
gentoo high CVE-2021-4034: 1 GLSA(s) (202201-01), 1 atom(s) (sys-auth/polkit); latest impact high. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2021-4034
redhat high https://access.redhat.com/security/cve/CVE-2021-4034
suse high https://www.suse.com/security/cve/CVE-2021-4034/
ubuntu high CVE-2021-4034 high priority: Ubuntu including 1 source packages (policykit-1), 8 status rows across 8 suites (bionic, focal, hirsute, impish, jammy, trusty, upstream, xenial): released 6, ignored 1, needs-triage 1. https://ubuntu.com/security/CVE-2021-4034

Affected software / configurations for CVE-2021-4034

Vendor Product Version Raw CPE
polkit_project polkit < 121 cpe:2.3:a:polkit_project:polkit:*:*:*:*:*:*:*:*
redhat enterprise_linux_server_update_services_for_sap_solutions 7.6 cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.6:*:*:*:*:*:*:*
redhat enterprise_linux_server_update_services_for_sap_solutions 7.7 cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.7:*:*:*:*:*:*:*
redhat enterprise_linux 8.0 cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
redhat enterprise_linux_desktop 7.0 cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
redhat enterprise_linux_eus 8.2 cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
redhat enterprise_linux_for_ibm_z_systems 7.0 cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:*:*:*:*:*:*:*
redhat enterprise_linux_for_ibm_z_systems 8.0 cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
redhat enterprise_linux_for_ibm_z_systems_eus 8.2 cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.2:*:*:*:*:*:*:*
redhat enterprise_linux_for_ibm_z_systems_eus 8.4 cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:*:*:*:*:*:*:*
redhat enterprise_linux_for_power_big_endian 7.0 cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0:*:*:*:*:*:*:*
redhat enterprise_linux_for_power_little_endian 7.0 cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:*:*:*:*:*:*:*
redhat enterprise_linux_for_power_little_endian 8.0 cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
redhat enterprise_linux_for_power_little_endian_eus 8.1 cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.1:*:*:*:*:*:*:*
redhat enterprise_linux_for_power_little_endian_eus 8.2 cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.2:*:*:*:*:*:*:*
redhat enterprise_linux_for_power_little_endian_eus 8.4 cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:*:*:*:*:*:*:*
redhat enterprise_linux_for_scientific_computing 7.0 cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*
redhat enterprise_linux_server 6.0 cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
redhat enterprise_linux_server 7.0 cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
redhat enterprise_linux_server_aus 7.3 cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
redhat enterprise_linux_server_aus 7.4 cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
redhat enterprise_linux_server_aus 7.6 cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
redhat enterprise_linux_server_aus 7.7 cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
redhat enterprise_linux_server_aus 8.2 cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
redhat enterprise_linux_server_aus 8.4 cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
redhat enterprise_linux_server_eus 8.4 cpe:2.3:o:redhat:enterprise_linux_server_eus:8.4:*:*:*:*:*:*:*
redhat enterprise_linux_server_tus 7.6 cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
redhat enterprise_linux_server_tus 7.7 cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
redhat enterprise_linux_server_tus 8.2 cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
redhat enterprise_linux_server_tus 8.4 cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
redhat enterprise_linux_server_update_services_for_sap_solutions 8.1 cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.1:*:*:*:*:*:*:*
redhat enterprise_linux_server_update_services_for_sap_solutions 8.2 cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:*
redhat enterprise_linux_server_update_services_for_sap_solutions 8.4 cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*
redhat enterprise_linux_workstation 7.0 cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
canonical ubuntu_linux 14.04 cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
canonical ubuntu_linux 16.04 cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
canonical ubuntu_linux 18.04 cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 20.04 cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 21.10 cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:*:*:*:*
suse enterprise_storage 7.0 cpe:2.3:a:suse:enterprise_storage:7.0:*:*:*:*:*:*:*
suse linux_enterprise_high_performance_computing 15.0 cpe:2.3:a:suse:linux_enterprise_high_performance_computing:15.0:sp2:*:*:-:*:*:*
suse manager_proxy 4.1 cpe:2.3:a:suse:manager_proxy:4.1:*:*:*:*:*:*:*
suse manager_server 4.1 cpe:2.3:a:suse:manager_server:4.1:*:*:*:*:*:*:*
suse linux_enterprise_desktop 15 cpe:2.3:o:suse:linux_enterprise_desktop:15:sp2:*:*:*:*:*:*
suse linux_enterprise_server 15 cpe:2.3:o:suse:linux_enterprise_server:15:sp2:*:*:*:-:*:*
suse linux_enterprise_server 15 cpe:2.3:o:suse:linux_enterprise_server:15:sp2:*:*:*:sap:*:*
suse linux_enterprise_workstation_extension 12 cpe:2.3:o:suse:linux_enterprise_workstation_extension:12:sp5:*:*:*:*:*:*
oracle http_server 12.2.1.3.0 cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*
oracle http_server 12.2.1.4.0 cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*
oracle zfs_storage_appliance_kit 8.8 cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
siemens sinumerik_edge < 3.3.0 cpe:2.3:a:siemens:sinumerik_edge:*:*:*:*:*:*:*:*
siemens scalance_lpe9403_firmware < 2.0 cpe:2.3:o:siemens:scalance_lpe9403_firmware:*:*:*:*:*:*:*:*
starwindsoftware command_center 1.0 cpe:2.3:a:starwindsoftware:command_center:1.0:update3_build5871:*:*:*:*:*:*
starwindsoftware starwind_virtual_san v8 cpe:2.3:a:starwindsoftware:starwind_virtual_san:v8:build14338:*:*:*:*:*:*

References for CVE-2021-4034

URL Tags
http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html Third Party Advisory VDB Entry
https://access.redhat.com/security/vulnerabilities/RHSB-2022-001 Mitigation Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2025869 Issue Tracking Patch
https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf Third Party Advisory
https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Patch
https://www.oracle.com/security-alerts/cpuapr2022.html Patch Third Party Advisory
https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt Exploit Mitigation Third Party Advisory
https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/ Exploit Third Party Advisory
https://www.starwindsoftware.com/security/sw-20220818-0001/ Third Party Advisory
https://www.suse.com/support/kb/doc/?id=000020564 Third Party Advisory
https://www.vicarius.io/vsociety/posts/pwnkit-pkexec-lpe-cve-2021-4034 Exploit Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-4034 US Government Resource
cvelogic Threat Intelligence