CVE-2026-29111 Overview
CVE-2026-29111 is a Denial of Service vulnerability affecting systemd, the widely deployed system and service manager on Linux systems. When running as PID 1, systemd can be triggered to hit an assertion and freeze execution when an unprivileged IPC API call is made with spurious (malformed) data. This vulnerability is particularly concerning because systemd as PID 1 is the init system responsible for managing all other processes on the system.
The vulnerability exhibits different behaviors depending on the systemd version. On version v249 and older, the effect is more severe—resulting in stack overwriting with attacker-controlled content. From version v250 and newer, a safety check was introduced that causes an assertion failure instead of stack corruption. The vulnerable IPC call was added in version v239, meaning versions older than v239 are not affected.
Critical Impact
Local attackers with unprivileged access can freeze the init system (PID 1) causing complete system unavailability, or on older versions (v249 and below), potentially achieve stack-based memory corruption with attacker-controlled data.
Affected Products
- systemd versions v239 through v256 (assertion/freeze vulnerability)
- systemd versions v239 through v249 (stack overwriting vulnerability)
- Linux distributions using affected systemd versions as init system
Discovery Timeline
- 2026-03-23 - CVE CVE-2026-29111 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-29111
Vulnerability Analysis
This vulnerability stems from improper input validation in systemd's D-Bus IPC handling code. The issue is classified under CWE-269 (Improper Privilege Management), though the root cause involves insufficient validation of cgroup path arguments passed through the IPC interface. When systemd receives an IPC call with malformed or unexpected data, it fails to properly validate the input before processing, leading to either an assertion failure (v250+) or stack corruption (v239-v249).
The attack requires local access to the system but does not require elevated privileges. An unprivileged user can send specially crafted IPC messages to systemd's D-Bus interface. The impact is limited to availability—the attacker cannot gain code execution or access sensitive data on newer versions, but on older versions (v239-v249), the stack overwriting behavior with attacker-controlled content could potentially be exploited further.
Root Cause
The vulnerability exists due to insufficient validation of cgroup paths passed to systemd via its D-Bus manager interface. The code failed to verify that cgroup paths were both absolute and normalized before using them in sensitive operations. This allowed attackers to provide malformed paths that could trigger assertion failures or, on older versions, cause stack corruption during path processing operations.
The patch addresses this by adding explicit validation checks to ensure cgroup paths are absolute and properly normalized before processing:
// Security patch from src/core/dbus-manager.c
// Source: https://github.com/systemd/systemd/commit/1d22f706bd04f45f8422e17fbde3f56ece17758a
if (r < 0)
return r;
+ if (!path_is_absolute(cgroup))
+ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Control group path is not absolute: %s", cgroup);
+
+ if (!path_is_normalized(cgroup))
+ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Control group path is not normalized: %s", cgroup);
+
u = manager_get_unit_by_cgroup(m, cgroup);
if (!u)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_UNIT,
Attack Vector
The attack is performed locally through systemd's D-Bus IPC interface. An attacker with unprivileged local access can send crafted messages containing malformed cgroup paths to trigger the vulnerability. The path validation bypass allows dot-dot sequences and non-normalized paths to reach internal processing code:
// Security patch from src/core/cgroup.c - Enhanced path validation
// Source: https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412
/* Determine this unit's cgroup path relative to our cgroup root */
- pp = path_startswith(crt->cgroup_path, u->manager->cgroup_root);
+ const char *pp = path_startswith_full(cgroup_path,
+ u->manager->cgroup_root,
+ PATH_STARTSWITH_RETURN_LEADING_SLASH|PATH_STARTSWITH_REFUSE_DOT_DOT);
if (!pp)
return -EINVAL;
The fix introduces the PATH_STARTSWITH_REFUSE_DOT_DOT flag to explicitly reject path traversal attempts.
Detection Methods for CVE-2026-29111
Indicators of Compromise
- Unexpected systemd process hangs or freezes with PID 1 becoming unresponsive
- System journal entries showing assertion failures in systemd with stack traces referencing cgroup or D-Bus handling code
- Repeated D-Bus messages to systemd containing unusual or malformed cgroup paths
- System-wide service management failures after a specific point in time
Detection Strategies
- Monitor system logs for systemd assertion failures using patterns like Assertion.*failed in journalctl output
- Implement D-Bus message auditing to detect unusual IPC patterns targeting systemd manager interfaces
- Deploy endpoint detection rules to alert on systemd PID 1 entering unresponsive states
- Use SentinelOne's behavioral AI to detect anomalous process states for critical system services
Monitoring Recommendations
- Enable verbose logging for systemd D-Bus interface interactions during investigation periods
- Configure alerting on journal entries indicating cgroup-related errors in systemd
- Monitor system availability metrics for unexpected init system hangs
- Track D-Bus method calls to org.freedesktop.systemd1.Manager interface for anomalous patterns
How to Mitigate CVE-2026-29111
Immediate Actions Required
- Update systemd to patched versions: 260-rc1, 259.2, 258.5, or 257.11
- Prioritize updates on multi-user systems where unprivileged users have local access
- Identify all systems running systemd versions v239 through v256 in your environment
- For systems running v249 or older, treat with higher urgency due to stack overwriting risk
Patch Information
The systemd project has released patches across multiple stable branches. Affected organizations should update to one of the following fixed versions:
- Version 260-rc1 (release candidate)
- Version 259.2
- Version 258.5
- Version 257.11
Multiple commits address this vulnerability. For detailed technical information, see the GitHub Security Advisory and related patch commits.
Workarounds
- No known workarounds are available according to the security advisory
- Restrict local user access on critical systems until patches can be applied
- Consider implementing additional monitoring for systems that cannot be immediately patched
- Limit D-Bus access using policy configurations where feasible (may impact system functionality)
# Check current systemd version
systemctl --version
# Example: Update systemd on Debian/Ubuntu-based systems (once packages are available)
sudo apt update && sudo apt upgrade systemd
# Example: Update systemd on RHEL/Fedora-based systems (once packages are available)
sudo dnf update systemd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
