Security update for systemd

Announcement ID:	SUSE-SU-2026:0990-1
Release Date:	2026-03-24T07:22:54Z
Rating:	important
References:	bsc#1259418 bsc#1259650 bsc#1259697
Cross-References:	CVE-2026-29111 CVE-2026-4105
CVSS scores:	CVE-2026-29111 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-29111 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2026-29111 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2026-4105 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2026-4105 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-4105 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Affected Products:	openSUSE Leap 15.3 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro for Rancher 5.2

An update that solves two vulnerabilities and has one security fix can now be installed.

Description:

This update for systemd fixes the following issues:

• CVE-2026-4105: privilege escalation due to improper access control in RegisterMachine D-Bus method (bsc#1259650).
• CVE-2026-29111: local unprivileged user can trigger an assert in systemd (bsc#1259418).
• udev: check for invalid chars in various fields received from the kernel (bsc#1259697).

Changelog:

• 566517ffcb machined: reject invalid class types when registering machines
• abbdd89d78 udev: fix review mixup
• c9cedd26be udev-builtin-net-id: print cescaped bad attributes
• c0f4ec3db9 udev: ensure tag parsing stays within bounds
• 38afcb73cc udev: ensure there is space for trailing NUL before calling sprintf
• a64247de62 udev: check for invalid chars in various fields received from the kernel
• ecce32966e core/cgroup: avoid one unnecessary strjoina()
• 6abd2b5bd2 core: validate input cgroup path more prudently
• 2d7d93d6c1 alloc-util: add strdupa_safe() + strndupa_safe() and use it everywhere

Special Instructions and Notes:

• Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.3
  zypper in -t patch SUSE-2026-990=1
• SUSE Linux Enterprise Micro 5.2
  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2026-990=1
• SUSE Linux Enterprise Micro for Rancher 5.2
  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2026-990=1

Package List:

• openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
  • udev-mini-246.16-150300.7.65.1
  • systemd-mini-sysvinit-246.16-150300.7.65.1
  • libudev-mini1-246.16-150300.7.65.1
  • libsystemd0-mini-246.16-150300.7.65.1
  • systemd-doc-246.16-150300.7.65.1
  • systemd-debuginfo-246.16-150300.7.65.1
  • libsystemd0-mini-debuginfo-246.16-150300.7.65.1
  • libudev1-debuginfo-246.16-150300.7.65.1
  • nss-myhostname-debuginfo-246.16-150300.7.65.1
  • libsystemd0-debuginfo-246.16-150300.7.65.1
  • systemd-journal-remote-246.16-150300.7.65.1
  • systemd-journal-remote-debuginfo-246.16-150300.7.65.1
  • systemd-mini-debugsource-246.16-150300.7.65.1
  • nss-myhostname-246.16-150300.7.65.1
  • nss-resolve-debuginfo-246.16-150300.7.65.1
  • systemd-network-debuginfo-246.16-150300.7.65.1
  • systemd-sysvinit-246.16-150300.7.65.1
  • libudev-mini1-debuginfo-246.16-150300.7.65.1
  • systemd-debugsource-246.16-150300.7.65.1
  • udev-246.16-150300.7.65.1
  • libudev-devel-246.16-150300.7.65.1
  • libsystemd0-246.16-150300.7.65.1
  • systemd-container-debuginfo-246.16-150300.7.65.1
  • systemd-coredump-246.16-150300.7.65.1
  • udev-debuginfo-246.16-150300.7.65.1
  • systemd-mini-debuginfo-246.16-150300.7.65.1
  • systemd-portable-246.16-150300.7.65.1
  • nss-resolve-246.16-150300.7.65.1
  • systemd-mini-devel-246.16-150300.7.65.1
  • systemd-portable-debuginfo-246.16-150300.7.65.1
  • systemd-246.16-150300.7.65.1
  • libudev1-246.16-150300.7.65.1
  • nss-mymachines-debuginfo-246.16-150300.7.65.1
  • nss-mymachines-246.16-150300.7.65.1
  • systemd-mini-container-246.16-150300.7.65.1
  • systemd-mini-246.16-150300.7.65.1
  • nss-systemd-246.16-150300.7.65.1
  • udev-mini-debuginfo-246.16-150300.7.65.1
  • systemd-coredump-debuginfo-246.16-150300.7.65.1
  • systemd-devel-246.16-150300.7.65.1
  • systemd-mini-container-debuginfo-246.16-150300.7.65.1
  • systemd-logger-246.16-150300.7.65.1
  • systemd-network-246.16-150300.7.65.1
  • libudev-mini-devel-246.16-150300.7.65.1
  • systemd-container-246.16-150300.7.65.1
  • nss-systemd-debuginfo-246.16-150300.7.65.1
• openSUSE Leap 15.3 (x86_64)
  • libudev1-32bit-debuginfo-246.16-150300.7.65.1
  • nss-mymachines-32bit-246.16-150300.7.65.1
  • systemd-32bit-246.16-150300.7.65.1
  • nss-mymachines-32bit-debuginfo-246.16-150300.7.65.1
  • libsystemd0-32bit-debuginfo-246.16-150300.7.65.1
  • systemd-32bit-debuginfo-246.16-150300.7.65.1
  • nss-myhostname-32bit-246.16-150300.7.65.1
  • libudev-devel-32bit-246.16-150300.7.65.1
  • libudev1-32bit-246.16-150300.7.65.1
  • nss-myhostname-32bit-debuginfo-246.16-150300.7.65.1
  • libsystemd0-32bit-246.16-150300.7.65.1
• openSUSE Leap 15.3 (noarch)
  • systemd-lang-246.16-150300.7.65.1
• openSUSE Leap 15.3 (aarch64_ilp32)
  • nss-myhostname-64bit-debuginfo-246.16-150300.7.65.1
  • nss-mymachines-64bit-debuginfo-246.16-150300.7.65.1
  • nss-mymachines-64bit-246.16-150300.7.65.1
  • libudev1-64bit-debuginfo-246.16-150300.7.65.1
  • libsystemd0-64bit-debuginfo-246.16-150300.7.65.1
  • systemd-64bit-246.16-150300.7.65.1
  • nss-myhostname-64bit-246.16-150300.7.65.1
  • libsystemd0-64bit-246.16-150300.7.65.1
  • libudev-devel-64bit-246.16-150300.7.65.1
  • libudev1-64bit-246.16-150300.7.65.1
  • systemd-64bit-debuginfo-246.16-150300.7.65.1
• SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64)
  • udev-debuginfo-246.16-150300.7.65.1
  • systemd-sysvinit-246.16-150300.7.65.1
  • systemd-debuginfo-246.16-150300.7.65.1
  • systemd-246.16-150300.7.65.1
  • libudev1-246.16-150300.7.65.1
  • libudev1-debuginfo-246.16-150300.7.65.1
  • libsystemd0-debuginfo-246.16-150300.7.65.1
  • systemd-debugsource-246.16-150300.7.65.1
  • systemd-journal-remote-246.16-150300.7.65.1
  • systemd-journal-remote-debuginfo-246.16-150300.7.65.1
  • udev-246.16-150300.7.65.1
  • systemd-container-246.16-150300.7.65.1
  • libsystemd0-246.16-150300.7.65.1
  • systemd-container-debuginfo-246.16-150300.7.65.1
• SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64)
  • udev-debuginfo-246.16-150300.7.65.1
  • systemd-sysvinit-246.16-150300.7.65.1
  • systemd-debuginfo-246.16-150300.7.65.1
  • systemd-246.16-150300.7.65.1
  • libudev1-246.16-150300.7.65.1
  • libudev1-debuginfo-246.16-150300.7.65.1
  • libsystemd0-debuginfo-246.16-150300.7.65.1
  • systemd-debugsource-246.16-150300.7.65.1
  • systemd-journal-remote-246.16-150300.7.65.1
  • systemd-journal-remote-debuginfo-246.16-150300.7.65.1
  • udev-246.16-150300.7.65.1
  • systemd-container-246.16-150300.7.65.1
  • libsystemd0-246.16-150300.7.65.1
  • systemd-container-debuginfo-246.16-150300.7.65.1

References:

• https://www.suse.com/security/cve/CVE-2026-29111.html
• https://www.suse.com/security/cve/CVE-2026-4105.html
• https://bugzilla.suse.com/show_bug.cgi?id=1259418
• https://bugzilla.suse.com/show_bug.cgi?id=1259650
• https://bugzilla.suse.com/show_bug.cgi?id=1259697