CVE-2026-29111
Publication date 23 March 2026
Last updated 25 March 2026
Ubuntu priority
Description
systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| systemd | 25.10 questing |
Fixed 257.9-0ubuntu2.3
|
| 24.04 LTS noble |
Fixed 255.4-1ubuntu8.14
|
|
| 22.04 LTS jammy |
Fixed 249.11-0ubuntu3.19
|
|
| 20.04 LTS focal |
Fixed 245.4-4ubuntu3.24+esm3
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.5 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-8119-1
- systemd vulnerabilities
- 23 March 2026
- USN-8119-2
- systemd vulnerabilities
- 23 March 2026