The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2023-26604

CVE-2023-26604: systemd Privilege Escalation Vulnerability

CVE-2023-26604 is a privilege escalation vulnerability in systemd before version 247 that allows local attackers to gain root access via Sudo configurations. This article covers technical details, affected versions, and mitigation.

Published: February 11, 2026

CVE-2023-26604 Overview

CVE-2023-26604 is a local privilege escalation vulnerability in systemd versions before 247. The flaw exists because systemd does not adequately block privilege escalation when used with certain Sudo configurations. Specifically, systemd fails to set the LESSSECURE=1 environment variable when invoking the less pager program, which allows users to escape to a shell or launch arbitrary programs from within less. When systemctl status is executed via Sudo and the terminal window is too small to display complete output, the less pager runs with root privileges, enabling an attacker with limited Sudo access to escalate to full root privileges.

Critical Impact

Local users with Sudo permissions to run systemctl status can escape the less pager to execute arbitrary commands as root, achieving complete system compromise.

Affected Products

  • systemd_project systemd (versions prior to 247)
  • debian debian_linux 10.0

Discovery Timeline

  • 2023-03-03 - CVE-2023-26604 published to NVD
  • 2025-06-20 - Last updated in NVD database

Technical Details for CVE-2023-26604

Vulnerability Analysis

This vulnerability represents a privilege escalation flaw rooted in insecure program invocation practices. The core issue stems from systemd's use of the less pager without proper security restrictions when displaying output from commands like systemctl status.

The less program has built-in functionality that allows users to execute shell commands by typing ! followed by a command, or to invoke external editors. When LESSSECURE=1 is set, these dangerous features are disabled. However, systemd versions prior to 247 do not set this environment variable, creating an escalation path.

The exploitation scenario requires a specific but common configuration: a sudoers entry that permits a user to run systemctl status (or similar systemctl commands) without a password. When the attacker executes this command via Sudo and resizes the terminal to force pager activation, less runs with elevated privileges. From within less, the attacker can spawn a root shell.

Root Cause

The root cause is systemd's failure to implement the LESSSECURE=1 environment variable when invoking the less pager. This omission allows the pager's interactive features—specifically shell escape functionality—to remain active even when running with elevated privileges via Sudo. The vulnerability falls under CWE-269 (Improper Privilege Management), as the application fails to properly restrict dangerous functionality when operating in a privileged context.

Attack Vector

The attack requires local access and relies on a specific but common sudoers configuration pattern. The attacker must have Sudo permissions to execute systemctl commands. The exploitation flow involves:

  1. The attacker identifies a sudoers entry allowing execution of systemctl status or similar commands
  2. The attacker resizes the terminal window to be smaller than the command output
  3. When executed via Sudo, less launches as root to paginate the output
  4. Within less, the attacker types !sh or !/bin/bash to spawn a root shell
  5. The attacker now has full root access to the system

This attack is particularly dangerous because sudoers entries permitting systemctl status are often considered safe by administrators, as the command appears to be read-only. Technical details of exploitation techniques can be found in the Packet Storm Exploit Report and Compass Security Blog Post.

Detection Methods for CVE-2023-26604

Indicators of Compromise

  • Unusual shell processes spawned as child processes of less running under root privileges
  • Audit log entries showing interactive shell invocations immediately following systemctl status commands executed via Sudo
  • Process tree anomalies where sudo → systemctl → less chains spawn unexpected child processes
  • User session histories containing patterns of terminal resizing followed by systemctl commands

Detection Strategies

  • Monitor for less processes running as root that spawn shell subprocesses using process relationship analysis
  • Implement auditd rules to track executions of systemctl via Sudo and correlate with subsequent process creation events
  • Deploy endpoint detection rules that alert on shell escape sequences (!sh, !/bin/bash) in process command lines under elevated contexts
  • Use SentinelOne's behavioral AI to detect anomalous privilege escalation patterns involving pager programs

Monitoring Recommendations

  • Enable comprehensive command logging for all Sudo executions, particularly those involving systemctl
  • Configure auditd to monitor process creation events with parent process correlation to identify pager escape attacks
  • Implement alerting on any interactive shell spawned from pager processes running under elevated privileges
  • Review sudoers configurations periodically to identify potentially dangerous entries that permit systemctl access

How to Mitigate CVE-2023-26604

Immediate Actions Required

  • Upgrade systemd to version 247 or later where LESSSECURE=1 is properly enforced
  • Audit all sudoers files for entries that permit execution of systemctl commands and evaluate necessity
  • Set the LESSSECURE=1 environment variable system-wide as a defense-in-depth measure
  • Consider using sudoedit or more restrictive Sudo configurations that specify NOEXEC for systemctl commands

Patch Information

The vulnerability was addressed in systemd version 247, which includes the fix to set LESSSECURE=1 when invoking the less pager. For detailed information about the fix, refer to the GitHub Systemd Updates. Debian users should consult the Debian LTS Security Announcement for distribution-specific patching guidance. NetApp customers should review the NetApp Security Advisory for affected products.

Workarounds

  • Add Defaults env_keep += "LESSSECURE" to sudoers and ensure LESSSECURE=1 is exported in system-wide profile scripts
  • Modify sudoers entries to use NOEXEC tag for systemctl commands: user ALL=(root) NOEXEC: /bin/systemctl status *
  • Use alternative pagers that do not have shell escape functionality by setting SYSTEMD_PAGER=cat in environment configurations
  • Remove or restrict sudoers entries that permit systemctl execution until systems can be patched
bash
# Workaround configuration example
# Add to /etc/sudoers.d/systemctl-hardening
Defaults!/bin/systemctl env_keep += "LESSSECURE"
Defaults!/usr/bin/systemctl env_keep += "LESSSECURE"

# Add to /etc/profile.d/lesssecure.sh
export LESSSECURE=1

# Alternative: Use NOEXEC to prevent shell escapes
# user ALL=(root) NOEXEC: /bin/systemctl status *

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechDebian
  • SeverityHIGH
  • CVSS Score7.8
  • EPSS Probability5.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • NVD-CWE-noinfo
  • CWE-269
  • Technical References
  • Packet Storm Exploit Report
  • Compass Security Blog Post
  • GitHub Systemd Updates
  • Debian LTS Security Announcement
  • Medium Article on CVE-2023-26604
  • NetApp Security Advisory
  • Related CVEs
  • CVE-2022-48174: Debian Linux Buffer Overflow Vulnerability
  • CVE-2025-6297: Debian Dpkg DOS Vulnerability
  • CVE-2025-8454: Debian Devscripts Information Disclosure
  • CVE-2023-51714: Qt HTTP2 Buffer Overflow Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English