CVE-2026-4105

MEDIUM LAB

Red Hat Enterprise Linux 10 - Improper Access Control via systemd-machined RegisterMachine D-Bus Method

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-4105. PoCs published by exploitintel.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2026-4105, a local privilege escalation vulnerability in systemd-machined (v225–v259.3) due to improper machine class access control. The PoC includes multiple vectors (D-Bus, Varlink) and a bypass for the patched version (v259.4).

Description

A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.

Exploits (1)

github WORKING POC 2 stars

by exploitintel · cpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2026-4105

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2026-4105, a local privilege escalation vulnerability in systemd-machined (v225–v259.3) due to improper machine class access control. The PoC includes multiple vectors (D-Bus, Varlink) and a bypass for the patched version (v259.4).

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: systemd-machined (v225–v259.3)

Auth required

Prerequisites: Unprivileged desktop user with active session · D-Bus or Varlink access to systemd-machined

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Mar 14, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2447262

Vendor Advisory

https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2026-4105

Vendor Advisory vendor-advisory x_refsource_redhat

RHSA-2026:7299

https://access.redhat.com/errata/RHSA-2026:7299

Related Analysis

systemd-machined Privilege Escalation

Scores

CVSS v3 6.7

EPSS 0.0001

EPSS Percentile 1.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

EIP LAB

patched docker pull ghcr.io/exploitintel/cve-2026-4105-patched:latest

vulnerable docker pull ghcr.io/exploitintel/cve-2026-4105-vulnerable:latest

View in Library GitHub

Details

CWE

CWE-284

Status published

Products (18)

Red Hat/Red Hat Enterprise Linux 10 NetworkManager

Red Hat/Red Hat Enterprise Linux 10 rpm-ostree

Red Hat/Red Hat Enterprise Linux 10 systemd

Red Hat/Red Hat Enterprise Linux 10

Red Hat/Red Hat Enterprise Linux 7 systemd

Red Hat/Red Hat Enterprise Linux 7

Red Hat/Red Hat Enterprise Linux 8 NetworkManager

Red Hat/Red Hat Enterprise Linux 8 systemd

Red Hat/Red Hat Enterprise Linux 8

Red Hat/Red Hat Enterprise Linux 9 NetworkManager

... and 8 more

Published Mar 13, 2026

Tracked Since Mar 14, 2026