CVE-2026-4105

Name	CVE-2026-4105
Description	A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
systemd (PTS)	bullseye	247.3-7+deb11u5	vulnerable
	bullseye (security)	247.3-7+deb11u7	vulnerable
	bookworm	252.39-1~deb12u1	vulnerable
	bookworm (security)	252.38-1~deb12u1	vulnerable
	trixie	257.9-1~deb13u1	vulnerable
	forky, sid	260.1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
systemd	source	(unstable)	260~rc3-1

Notes

[trixie] - systemd <no-dsa> (Only exloitable with custom polkit policy that allows register-machine access)
[bookworm] - systemd <no-dsa> (Only exloitable with custom polkit policy that allows register-machine access)
[bullseye] - systemd <postponed> (Only exloitable with custom polkit policy that allows register-machine access)
https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862
Introduced with: https://github.com/systemd/systemd/commit/fbe550738d03b178bb004a1390e74115e904118a (v225)
Fixed by: https://github.com/systemd/systemd/commit/6df5f80bd374be1b45c52d740e88f0236da922c7 (v260-rc3)
Fixed by: https://github.com/systemd/systemd/commit/497d0172416cbb5b70f96b95399d041407c223bd (v259.4)