CVE-2019-3844

HIGH

systemd < 242 - Privilege Escalation via DynamicUser SUID Binary Execution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-3844. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit demonstrates a vulnerability in systemd's DynamicUser feature, where a service can create a setuid binary outside its mount namespace by receiving a file descriptor via a UNIX domain socket from a collaborating user. The PoC includes two C programs to exploit this behavior, resulting in a setuid binary that retains the service's UID after the service terminates.

Description

It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Google Security Research · textdoslinux
https://www.exploit-db.com/exploits/46760

This exploit demonstrates a vulnerability in systemd's DynamicUser feature, where a service can create a setuid binary outside its mount namespace by receiving a file descriptor via a UNIX domain socket from a collaborating user. The PoC includes two C programs to exploit this behavior, resulting in a setuid binary that retains the service's UID after the service terminates.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: systemd (versions with DynamicUser feature)
No auth needed
Prerequisites: Access to a system with systemd and DynamicUser-enabled services · Ability to create and execute custom services · Collaboration with another user or process to pass file descriptors
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3844
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/108096
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190619-0002/
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4269-1/

Scores

CVSS v3 7.8
EPSS 0.0089
EPSS Percentile 54.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-268
Status published
Products (8)
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 19.10
netapp/cn1610_firmware
netapp/hci_management_node
netapp/snapprotect
netapp/solidfire
systemd_project/systemd < 242
Published Apr 26, 2019
Tracked Since Feb 18, 2026