CVE-2021-4034: Polkit pkexec Privilege Escalation Flaw

CVE-2021-4034 Overview

CVE-2021-4034, commonly known as "PwnKit," is a critical local privilege escalation vulnerability discovered in polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according to predefined policies. This vulnerability exists because the current version of pkexec doesn't handle the calling parameters count correctly and ends up trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way that it induces pkexec to execute arbitrary code, allowing unprivileged users to gain administrative rights on the target machine.

Critical Impact
This vulnerability enables any local unprivileged user to gain full root privileges on vulnerable Linux systems. It has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog.

Affected Products

Polkit Project polkit (all versions prior to patch)
Red Hat Enterprise Linux (versions 6.0, 7.0, 8.0 and related variants)
Canonical Ubuntu Linux (14.04, 16.04, 18.04, 20.04, 21.10)
SUSE Linux Enterprise Server and Desktop
Oracle HTTP Server and ZFS Storage Appliance Kit
Siemens SINUMERIK Edge and SCALANCE LPE9403

Discovery Timeline

2022-01-28 - CVE CVE-2021-4034 published to NVD
2025-11-06 - Last updated in NVD database

Technical Details for CVE-2021-4034

Vulnerability Analysis

This vulnerability stems from an out-of-bounds memory access issue in the pkexec binary. The flaw occurs during the argument parsing phase when pkexec is executed. When pkexec is invoked without any command-line arguments (argc equals 0), the program incorrectly processes memory beyond the bounds of the argv array. Due to how Linux processes organize memory, the argv and envp arrays are contiguous in memory, meaning that when pkexec reads past the end of argv, it actually reads from the beginning of the environment variables (envp).

The vulnerability allows an attacker to manipulate environment variables to inject a malicious shared library path. When pkexec attempts to resolve the "command" to execute (which is actually reading from envp due to the bug), it can be tricked into loading and executing attacker-controlled code with elevated privileges.

Root Cause

The root cause is an out-of-bounds write vulnerability (CWE-787) combined with an out-of-bounds read (CWE-125) in the argument handling code of pkexec. The program fails to properly validate that argc is greater than zero before accessing argv[1]. When argc is 0, the program reads from argv[1], which points to the first environment variable. Subsequently, the program writes to argv[1], which corrupts the envp array.

This design flaw has existed in the codebase since the initial commit of pkexec in May 2009, meaning the vulnerability has been present in virtually all Linux distributions that ship with polkit for over 12 years.

Attack Vector

The attack requires local access to the target system. An attacker must be able to execute code as an unprivileged user on the system. The exploitation involves:

Creating a malicious shared library that will be loaded by pkexec
Setting up environment variables to control the GCONV_PATH used by glibc
Executing pkexec with no arguments (argc=0) using the execve() system call
The corrupted environment variables cause pkexec to load the attacker's malicious shared library with root privileges

The attack is highly reliable and does not require any user interaction. Multiple proof-of-concept exploits are publicly available, including via Exploit-DB.

Detection Methods for CVE-2021-4034

Indicators of Compromise

Unusual executions of /usr/bin/pkexec with no command-line arguments
Creation of suspicious directories matching patterns like /tmp/GCONV_PATH=/tmp/.exploit/ or similar directory structures designed to exploit gconv module loading
Unexpected shared library files (.so files) appearing in temporary directories
Process ancestry showing privilege escalation from unprivileged user to root via pkexec

Detection Strategies

Monitor process execution events for pkexec invocations where argc equals 0 or the command line appears empty
Implement file integrity monitoring on /usr/bin/pkexec to detect any unauthorized modifications
Use endpoint detection solutions to identify suspicious parent-child process relationships involving pkexec
Alert on the creation of directories or files containing GCONV_PATH strings in temporary locations

Monitoring Recommendations

Enable comprehensive audit logging for setuid binary executions using auditd rules targeting /usr/bin/pkexec
Deploy behavioral detection rules that identify the characteristic attack pattern of environment variable manipulation followed by privilege escalation
Correlate authentication logs with process execution logs to identify unauthorized privilege escalations
Implement real-time alerting for any root shell spawned from pkexec without corresponding authentication events

How to Mitigate CVE-2021-4034

Immediate Actions Required

Update polkit to a patched version immediately; consult your distribution's security advisories for specific version numbers
If patching is not immediately possible, remove the SUID bit from pkexec using chmod 0755 /usr/bin/pkexec as a temporary measure
Audit systems for signs of exploitation by reviewing process execution logs and checking for suspicious temporary files
Prioritize patching systems that allow local user access, especially multi-user systems and shared compute environments

Patch Information

Patches have been released by all major Linux distributions. The official fix is available in the polkit GitLab repository. Vendor-specific security advisories and patches are available from:

Workarounds

Remove the SUID bit from pkexec by running chmod 0755 /usr/bin/pkexec (note: this will break functionality that depends on pkexec for privilege elevation)
Restrict access to vulnerable systems by limiting which users can obtain local shell access
Implement application whitelisting to prevent execution of unauthorized binaries in temporary directories
Use SELinux or AppArmor policies to restrict pkexec behavior if available on your distribution

bash

# Temporary mitigation: Remove SUID bit from pkexec
chmod 0755 /usr/bin/pkexec

# Verify the change
ls -la /usr/bin/pkexec
# Should show: -rwxr-xr-x (not -rwsr-xr-x)

# Alternative: Use auditd to monitor pkexec usage
auditctl -a always,exit -F path=/usr/bin/pkexec -F perm=x -k pkexec_execution

CVE-2021-4034 Overview

Critical Impact
This vulnerability enables any local unprivileged user to gain full root privileges on vulnerable Linux systems. It has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog.

Affected Products

Polkit Project polkit (all versions prior to patch)
Red Hat Enterprise Linux (versions 6.0, 7.0, 8.0 and related variants)
Canonical Ubuntu Linux (14.04, 16.04, 18.04, 20.04, 21.10)
SUSE Linux Enterprise Server and Desktop
Oracle HTTP Server and ZFS Storage Appliance Kit
Siemens SINUMERIK Edge and SCALANCE LPE9403

Discovery Timeline

2022-01-28 - CVE CVE-2021-4034 published to NVD
2025-11-06 - Last updated in NVD database

Technical Details for CVE-2021-4034

Vulnerability Analysis

Root Cause

Attack Vector

The attack requires local access to the target system. An attacker must be able to execute code as an unprivileged user on the system. The exploitation involves:

Creating a malicious shared library that will be loaded by pkexec
Setting up environment variables to control the GCONV_PATH used by glibc
Executing pkexec with no arguments (argc=0) using the execve() system call
The corrupted environment variables cause pkexec to load the attacker's malicious shared library with root privileges

The attack is highly reliable and does not require any user interaction. Multiple proof-of-concept exploits are publicly available, including via Exploit-DB.

Detection Methods for CVE-2021-4034

Indicators of Compromise

Unusual executions of /usr/bin/pkexec with no command-line arguments
Creation of suspicious directories matching patterns like /tmp/GCONV_PATH=/tmp/.exploit/ or similar directory structures designed to exploit gconv module loading
Unexpected shared library files (.so files) appearing in temporary directories
Process ancestry showing privilege escalation from unprivileged user to root via pkexec

Detection Strategies

Monitor process execution events for pkexec invocations where argc equals 0 or the command line appears empty
Implement file integrity monitoring on /usr/bin/pkexec to detect any unauthorized modifications
Use endpoint detection solutions to identify suspicious parent-child process relationships involving pkexec
Alert on the creation of directories or files containing GCONV_PATH strings in temporary locations

Monitoring Recommendations

Enable comprehensive audit logging for setuid binary executions using auditd rules targeting /usr/bin/pkexec
Deploy behavioral detection rules that identify the characteristic attack pattern of environment variable manipulation followed by privilege escalation
Correlate authentication logs with process execution logs to identify unauthorized privilege escalations
Implement real-time alerting for any root shell spawned from pkexec without corresponding authentication events

How to Mitigate CVE-2021-4034

Immediate Actions Required

Update polkit to a patched version immediately; consult your distribution's security advisories for specific version numbers
If patching is not immediately possible, remove the SUID bit from pkexec using chmod 0755 /usr/bin/pkexec as a temporary measure
Audit systems for signs of exploitation by reviewing process execution logs and checking for suspicious temporary files
Prioritize patching systems that allow local user access, especially multi-user systems and shared compute environments

Patch Information

Patches have been released by all major Linux distributions. The official fix is available in the polkit GitLab repository. Vendor-specific security advisories and patches are available from:

Workarounds

Remove the SUID bit from pkexec by running chmod 0755 /usr/bin/pkexec (note: this will break functionality that depends on pkexec for privilege elevation)
Restrict access to vulnerable systems by limiting which users can obtain local shell access
Implement application whitelisting to prevent execution of unauthorized binaries in temporary directories
Use SELinux or AppArmor policies to restrict pkexec behavior if available on your distribution

bash

# Temporary mitigation: Remove SUID bit from pkexec
chmod 0755 /usr/bin/pkexec

# Verify the change
ls -la /usr/bin/pkexec
# Should show: -rwxr-xr-x (not -rwsr-xr-x)

# Alternative: Use auditd to monitor pkexec usage
auditctl -a always,exit -F path=/usr/bin/pkexec -F perm=x -k pkexec_execution

CVE-2021-4034: Polkit pkexec Privilege Escalation Flaw

CVE-2021-4034 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-4034

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-4034

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-4034

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-4034: Polkit pkexec Privilege Escalation Flaw

CVE-2021-4034 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-4034

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-4034

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-4034

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform