彙總 systemd 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
已披露問題常與 路徑處理缺陷、緩衝區溢位與記憶體損壞 相關,可能在 軟體部署與生產負載 場景中帶來 應用程式崩潰與檔案覆寫 等暴露風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-40228 | In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set. | [email protected] | 2.9 | 0.01% | 2026-04-10 | 2026-05-05 |
| CVE-2026-40227 | In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with an array or map that has a null element. | [email protected] | 6.2 | 0.02% | 2026-04-10 | 2026-04-14 |
| CVE-2026-40226 | In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file. | [email protected] | 6.4 | 0.01% | 2026-04-10 | 2026-04-17 |
| CVE-2026-40225 | In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output. | [email protected] | 6.4 | 0.02% | 2026-04-10 | 2026-04-27 |
| CVE-2026-40224 | In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace. | [email protected] | 6.7 | 0.01% | 2026-04-10 | 2026-04-27 |
| CVE-2026-40223 | In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and User=<unset> unit exists and is running. | [email protected] | 4.7 | 0.01% | 2026-04-10 | 2026-04-27 |
| CVE-2026-29111 | systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. N | [email protected] | 5.5 | 0.01% | 2026-03-23 | 2026-04-15 |
| CVE-2025-4598 | A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the proc | [email protected] | 4.7 | 0.10% | 2025-05-30 | 2026-05-19 |
| CVE-2023-7008 | A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records. | [email protected] | 5.9 | 0.48% | 2023-12-23 | 2025-11-04 |
| CVE-2023-31439 | An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." | [email protected] | 5.3 | 0.09% | 2023-06-13 | 2024-11-21 |
| CVE-2023-31438 | An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." | [email protected] | 5.3 | 0.10% | 2023-06-13 | 2024-11-21 |
| CVE-2023-31437 | An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." | [email protected] | 5.3 | 0.16% | 2023-06-13 | 2025-01-03 |
| CVE-2023-26604 | systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output. | [email protected] | 7.8 | 5.63% | 2023-03-03 | 2025-06-20 |
| CVE-2022-4415 | A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting. | [email protected] | 5.5 | 0.03% | 2023-01-11 | 2025-11-03 |
| CVE-2022-45873 | systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file. | [email protected] | 5.5 | 0.02% | 2022-11-23 | 2025-04-25 |
| CVE-2022-3821 | An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service. | [email protected] | 5.5 | 0.03% | 2022-11-08 | 2025-05-02 |
| CVE-2022-2526 | A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later. | [email protected] | 9.8 | 0.28% | 2022-09-09 | 2024-11-21 |
| CVE-2021-3997 | A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp. | [email protected] | 5.5 | 0.02% | 2022-08-23 | 2024-11-21 |
| CVE-2021-33910 | basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash. | [email protected] | 5.5 | 0.05% | 2021-07-20 | 2025-06-09 |
| CVE-2020-13529 | An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server. | [email protected] | 6.1 | 0.07% | 2021-05-10 | 2024-11-21 |