CVE-2026-40227

In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with an array or map that has a null element.

CVSS v3 6.2 MEDIUM

6.2^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.5 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/systemd/systemd/security/advisories/GHSA-848h-497j-8vjq	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:systemd_project:systemd:260:-:*:*:*:*:*:*

History

14 Apr 2026, 19:41

Type	Values Removed	Values Added
CPE		cpe:2.3:a:systemd_project:systemd:260:-::::::
First Time		Systemd Project systemd Systemd Project
References	~~() https://github.com/systemd/systemd/security/advisories/GHSA-848h-497j-8vjq -~~	() https://github.com/systemd/systemd/security/advisories/GHSA-848h-497j-8vjq - Vendor Advisory

10 Apr 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-10 16:16

Updated : 2026-04-14 19:41

NVD link : CVE-2026-40227

Mitre link : CVE-2026-40227

CVE.ORG link : CVE-2026-40227

JSON object : View

Products Affected

systemd_project

systemd

CWE

CWE-1025

Comparison Using Wrong Factors

6.2 /10