DEBIAN-CVE-2026-29111

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-29111

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-29111.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-29111

Upstream

CVE-2026-29111

Published

2026-03-23T22:16:26.267Z

Modified

2026-04-15T06:00:19.710553Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.

References

https://security-tracker.debian.org/tracker/CVE-2026-29111

Affected packages

Debian:11 / systemd

Package

Name: systemd
Purl: pkg:deb/debian/systemd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

247.3-7+deb11u8

Affected versions

247.*

247.3-6

247.3-7

247.3-7+deb11u1

247.3-7+deb11u2

247.3-7+deb11u3

247.3-7+deb11u4

247.3-7+deb11u5

247.3-7+deb11u6

247.3-7+deb11u7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-29111.json"

Debian:12 / systemd

Package

Name: systemd
Purl: pkg:deb/debian/systemd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

252.*

252.6-1

252.6-1+loong64

252.11-1~deb12u1

252.11-1

252.12-1~deb12u1

252.14-1~deb12u1

252.16-1~deb12u1

252.17-1~deb12u1

252.18-1~deb12u1

252.19-1~deb12u1

252.20-1~deb12u1

252.21-1~deb12u1

252.22-1~deb12u1

252.23-1~deb12u1

252.24-1~deb12u1

252.25-1~deb12u1

252.26-1~deb12u1

252.26-1~deb12u2~bpo11+1

252.26-1~deb12u2

252.27-1~deb12u1

252.28-1~deb12u1

252.29-1~deb12u1~bpo11+1

252.29-1~deb12u1

252.30-1~deb12u1

252.30-1~deb12u2

252.31-1~deb12u1

252.32-1~deb12u1

252.33-1~deb12u1

252.36-1~deb12u1

252.38-1~deb12u1

252.39-1~deb12u1

Other

253~rc2-1

253~rc3-1

253-1

253-2

253-3

253-4

254~rc1-1

254~rc1-2

254~rc1-3

254~rc1-4

254~rc2-1

254~rc2-2

254~rc2-3

254~rc3-1

254~rc3-2

254~rc3-3

254-1

255~rc1-1

255~rc1-2

255~rc1-3

255~rc1-4

255~rc2-1

255~rc2-2

255~rc2-3

255~rc3-1

255~rc3-2

255~rc3-3

255~rc4-1

255~rc4-2

255-1

256~rc1-1~exp

256~rc1-1~exp2

256~rc2-1

256~rc2-2

256~rc2-3

256~rc3-1

256~rc3-2

256~rc3-3

256~rc3-4

256~rc3-5

256~rc3-6

256~rc3-7

256~rc4-1

256-1

256-2

257~rc1-1

257~rc1-2

257~rc1-3

257~rc1-4

257~rc2-1

257~rc2-2

257~rc2-3

257~rc3-1

257-1

257-2

258~rc1-1

258~rc2-1

258~rc2-2

258~rc3-1

258~rc4-1

258-1

259~rc1-1

259~rc2-1

259~rc3-1

259-1

260~rc1-1

260~rc1-2

260~rc2-1

260~rc3-1

260~rc4-1

260-1

253.*

253.5-1

254.*

254.1-1

254.1-2

254.1-3

254.3-1

254.4-1

254.5-1~bpo12+1

254.5-1~bpo12+2

254.5-1~bpo12+3

254.5-1

254.14-1~bpo12+1

254.15-1~bpo12+1

254.16-1~bpo12+1

254.22-1~bpo12+1

254.26-1~bpo12+1

255.*

255.1-1

255.1-2

255.1-3

255.2-1

255.2-2

255.2-3

255.2-4

255.3-1

255.3-2

255.4-1

255.5-1

256.*

256.1-1

256.1-2

256.2-1

256.4-1

256.4-2

256.4-3

256.5-1

256.5-2

256.6-1

256.7-1

256.7-2

256.7-3

257.*

257.1-1

257.1-2

257.1-3

257.1-4

257.1-5

257.1-6

257.1-7

257.2-1

257.2-2

257.2-3

257.3-1

257.4-1

257.4-2

257.4-3

257.4-4

257.4-5

257.4-6

257.4-7

257.4-8

257.4-9

257.5-1

257.5-2

257.6-1

257.7-1

257.8-1~deb13u1

257.8-1~deb13u2

257.9-1~deb13u1

258.*

258.1-1

258.1-2

259.*

259.1-1

260.*

260.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-29111.json"

Debian:13 / systemd

Package

Name: systemd
Purl: pkg:deb/debian/systemd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

257.*

257.7-1

257.8-1~deb13u1

257.8-1~deb13u2

257.9-1~deb13u1

Other

258~rc1-1

258~rc2-1

258~rc2-2

258~rc3-1

258~rc4-1

258-1

259~rc1-1

259~rc2-1

259~rc3-1

259-1

260~rc1-1

260~rc1-2

260~rc2-1

260~rc3-1

260~rc4-1

260-1

258.*

258.1-1

258.1-2

259.*

259.1-1

260.*

260.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-29111.json"

Debian:14 / systemd

Package

Name: systemd
Purl: pkg:deb/debian/systemd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

260~rc2-1

Affected versions

257.*

257.7-1

257.8-1~deb13u1

257.8-1~deb13u2

257.9-1~deb13u1

Other

258~rc1-1

258~rc2-1

258~rc2-2

258~rc3-1

258~rc4-1

258-1

259~rc1-1

259~rc2-1

259~rc3-1

259-1

260~rc1-1

260~rc1-2

258.*

258.1-1

258.1-2

259.*

259.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-29111.json"