An out-of-bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data.
An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges.
An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges.
Before version v240, the systemd-tmpfiles program will follow symlinks present in a non-terminal path component while adjusting permissions and ownership. Often -- and particularly with "Z" type entries -- an attacker can introduce such a symlink and take control of arbitrary files on the system to gain root. The "fs.protected_symlinks" sysctl does not prevent this attack. Version v239 contained a partial fix, but only for the easy-to-exploit recursive "Z" type entries.
systemd has the ability to serialize and deserialize data. In some functions of this feature, lines longer than LINE_MAX aren't properly handled and the content of a property longer than that is interpreted as serialized state. This allows an attacker to corrupt or to inject values in the state of the service when systemd needs to deserialize data.
Race condition in chown_one() in systemd allows an attacker to arbitrarily change permission of files. In some situations, systemd needs to recursively change ownership of files. In the case when the file is not a link, it needs to re-set the file mode because it can be changed by the operating system. Due to the racy behaviour of the function, an attacker can bypass the check and change the mode of any file in the system.
DHCPv6 client in systemd-networkd doesn't properly validate if the buffer has enough space to store DHCP6Option passed by a DHCP server and as result allows out-of-bounds write during option handling.