CVE-2026-40225: In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.
Overview
- Severity
- Medium (CVSS 6.4)
- CVSS Vector
- CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U
- Exploit Status
- Not Exploited
- Patch Tuesday
- 2026-Apr
- Released
- 2026-04-29
- Last Updated
- 2026-06-03
- EPSS Score
- 0.04% (percentile: 11.6%)
Affected Products (4)
Open Source Software
- cbl2 systemd 250.3-24 on CBL Mariner 2.0
- azl3 systemd 255-27 on Azure Linux 3.0
- azl3 systemd 255-26 on Azure Linux 3.0
Other
Revision History
- 2026-04-29: Information published.
- 2026-04-29: Information published.
- 2026-05-27: Information published.
- 2026-06-03: Information published.