Primary

Context

systemd Assertion Failure Vulnerability in Delegate Units

Vulnerability

Patched

An assertion failure vulnerability has been identified in systemd versions 258 prior to 260. This issue allows a local unprivileged user to trigger an assert, causing the systemd process (PID 1) to freeze execution. The vulnerability occurs when a system unit is running with 'Delegate=yes' and no 'User=' specified. Under these conditions, an unprivileged IPC API call can be made, leading to the assertion failure.

Impact

Exploitation of this vulnerability causes systemd to hit an assert, freezing execution and disrupting system processes.

Reproduction

To reproduce this vulnerability, create a system unit with 'Delegate=yes' and no 'User=' specified. Once the unit is running, an unprivileged IPC API call can be made to the systemd service, triggering the assertion failure.

Remediation

Users can stop and disable any system units with 'Delegate=yes' and no 'User=' specified. systemd versions 260, 259.2 and 258.5 include the patch for this vulnerability.

Added: Apr 10, 2026, 4:29 PM

Updated: Apr 10, 2026, 4:29 PM

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

2.5

exploitability

3.2

remediation

8.3

relevance

5.6

threat

1.6

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

2.5

exploitability

3.2

remediation

8.3

relevance

5.6

threat

1.6

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

systemd Assertion Failure Vulnerability in Delegate Units

Vulnerability

Impact

Reproduction

Remediation

Affected Products

systemd

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating