CVE-2026-40223 Overview
CVE-2026-40223 is a Denial of Service vulnerability affecting systemd versions 258 through 259. A local unprivileged user can trigger an assertion failure when a service unit configured with Delegate=yes and an unset User= directive is running. This can lead to service disruption on affected Linux systems.
Critical Impact
Local unprivileged users can crash systemd service units by triggering an assertion, potentially disrupting critical system services and causing availability issues.
Affected Products
- systemd versions 258 through 259
- Linux distributions using affected systemd versions
Discovery Timeline
- 2026-04-10 - CVE CVE-2026-40223 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-40223
Vulnerability Analysis
This vulnerability stems from an improper condition check (CWE-696) in systemd's handling of delegated control group (cgroup) units. When a service unit is configured with Delegate=yes to allow cgroup delegation but does not explicitly set the User= directive, the resulting configuration creates a state that triggers an assertion failure.
The vulnerability requires local access and specific conditions to exploit successfully. An attacker must be able to interact with a running unit that has this particular configuration. While the attack complexity is relatively high due to these prerequisites, successful exploitation results in a denial of service affecting the availability of the targeted service.
Root Cause
The root cause lies in systemd's improper handling of the condition where cgroup delegation is enabled without an explicit user context being set. The code path fails to properly validate this configuration state, leading to an assertion being triggered when certain operations are performed against the unit. This represents an incorrect behavior order vulnerability where the assertion check executes before proper state validation.
Attack Vector
The attack requires local access to the system. An unprivileged user can exploit this vulnerability by interacting with a running service unit that has Delegate=yes configured without an explicit User= setting. The attacker does not require any user interaction or special privileges beyond basic local system access.
The vulnerability specifically affects systems where administrators have configured service units for cgroup delegation—a common pattern for container runtimes and similar workloads. When such a unit is running, a local user can trigger the assertion failure, causing service disruption.
Detection Methods for CVE-2026-40223
Indicators of Compromise
- Unexpected systemd assertion failures in system logs (journalctl -u systemd-*)
- Service units crashing or restarting unexpectedly, particularly those with Delegate=yes configuration
- Core dumps or crash reports originating from systemd components
Detection Strategies
- Monitor system logs for assertion failure messages from systemd components
- Audit service unit configurations for the vulnerable Delegate=yes and User=<unset> pattern
- Implement file integrity monitoring on systemd unit files to detect configuration changes
Monitoring Recommendations
- Configure log aggregation to alert on systemd assertion failures across the infrastructure
- Establish baseline service availability metrics to detect abnormal restart patterns
- Review and inventory all service units using Delegate=yes to assess exposure
How to Mitigate CVE-2026-40223
Immediate Actions Required
- Upgrade systemd to version 260 or later where the vulnerability is resolved
- Review all service unit files for the Delegate=yes and unset User= configuration pattern
- Explicitly set the User= directive in affected service units as a temporary workaround
Patch Information
The vulnerability is fixed in systemd version 260. System administrators should upgrade to systemd 260 or later to fully remediate this issue. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Explicitly configure the User= directive in all service units that use Delegate=yes
- Restrict local user access on critical systems until patching can be completed
- Consider disabling Delegate=yes on non-essential services where cgroup delegation is not required
# Identify potentially vulnerable unit files
grep -r "Delegate=yes" /etc/systemd/system/ /lib/systemd/system/ 2>/dev/null | while read file; do
if ! grep -q "^User=" "$file"; then
echo "Potentially vulnerable: $file"
fi
done
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
