CVE-2026-29111 | systemd: Local unprivileged user can trigger an assert

systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.

Published: 2026-03-23 Last update: 2026-04-15 Assigner: [email protected] Source: [email protected]
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2026-29111 is rated Low Risk (22.4/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.01%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-29111

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-03-24 0.01%

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-29111

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.5 3.1 MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 3.6 [email protected]

Weakness enumeration for CVE-2026-29111

OS Trackers for CVE-2026-29111

vendor priority summary link
debian not yet assigned CVE-2026-29111 not yet assigned priority: Debian including 1 source packages (systemd), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2026-29111
redhat medium https://access.redhat.com/security/cve/CVE-2026-29111
suse medium CVE-2026-29111 severity moderate: SUSE including 382 source package names (13.2-9.82:aaa_base-84.87+git20240906.742565b-1.1, 13.2-9.82:libsystemd0-254.27-slfo.1.1_4.1, …), 768 product×package rows across 80 product lines (Container suse/manager/4.3/proxy-httpd, Container suse/manager/4.3/proxy-salt-broker, … (80 product lines)): Fixed 524, Known Affected 231, First Fixed 13. https://www.suse.com/security/cve/CVE-2026-29111/
ubuntu medium CVE-2026-29111 medium priority: Ubuntu including 1 source packages (systemd), 8 status rows across 8 suites (bionic, focal, jammy, noble, questing, trusty, upstream, xenial): released 4, not-affected 3, needs-triage 1. https://ubuntu.com/security/CVE-2026-29111

Affected software / configurations for CVE-2026-29111

Vendor Product Version Raw CPE
systemd_project systemd >= 239, < 257.11 cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*
systemd_project systemd >= 258, < 258.5 cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*
systemd_project systemd >= 259, < 259.2 cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*

References for CVE-2026-29111

URL Tags
https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a Patch
https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6 Patch
https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412 Patch
https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd Patch
https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f Patch
https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f Patch
https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69 Patch
https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6 Patch
https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c Patch
https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8 Patch
https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764 Patch Vendor Advisory
cvelogic Threat Intelligence