{"id":"CVE-2021-4034","details":"A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.","modified":"2026-04-16T04:37:39.050294273Z","published":"2022-01-28T20:15:12.193Z","related":["ALSA-2022:0267","SUSE-SU-2022:0189-1","SUSE-SU-2022:0190-1","SUSE-SU-2022:0191-1","openSUSE-SU-2022:0190-1","openSUSE-SU-2024:11780-1"],"references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-4034"},{"type":"ADVISORY","url":"https://www.suse.com/support/kb/doc/?id=000020564"},{"type":"ADVISORY","url":"https://access.redhat.com/security/vulnerabilities/RHSB-2022-001"},{"type":"ADVISORY","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf"},{"type":"ADVISORY","url":"https://www.starwindsoftware.com/security/sw-20220818-0001/"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2025869"},{"type":"FIX","url":"https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683"},{"type":"EVIDENCE","url":"https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt"},{"type":"EVIDENCE","url":"https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/"},{"type":"EVIDENCE","url":"https://www.vicarius.io/vsociety/posts/pwnkit-pkexec-lpe-cve-2021-4034"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.freedesktop.org/polkit/polkit","events":[{"introduced":"0"},{"fixed":"827b0ddac5b1ef00a47fca4526fcf057bee5f1db"},{"fixed":"a2bf5c9c83b6ae46cbd5c779d3055bff81ded683"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"121"}]}}],"versions":["0.100","0.101","0.102","0.103","0.104","0.105","0.106","0.107","0.108","0.109","0.110","0.111","0.112","0.113","0.114","0.115","0.116","0.117","0.118","0.119","0.120","0.91","0.92","0.93","0.94","0.95","0.96","0.97","0.98","0.99","POLICY_KIT_0_3","POLICY_KIT_0_4","POLICY_KIT_0_5","POLICY_KIT_0_6","POLICY_KIT_0_7","POLICY_KIT_0_8","POLICY_KIT_0_9","start"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-4034.json","vanir_signatures_modified":"2026-04-11T21:23:20Z","vanir_signatures":[{"source":"https://gitlab.freedesktop.org/polkit/polkit@a2bf5c9c83b6ae46cbd5c779d3055bff81ded683","signature_version":"v1","digest":{"length":9742,"function_hash":"32570418561053402702943127759871466400"},"signature_type":"Function","deprecated":false,"target":{"file":"src/programs/pkexec.c","function":"main"},"id":"CVE-2021-4034-314cbecc"},{"signature_type":"Line","target":{"file":"src/programs/pkexec.c"},"digest":{"threshold":0.9,"line_hashes":["213998750295636857179079909536485960320","278734282904971204434169771972003805228","19650700869071089274018684711323071243","168828756042991529351455686026289160629","40690998152194075775332422815916804684","13939387846029825278873453783023749278","252652119165071349920865803595180110656","70320173189091660192941128994028468583","107583928421380347849317833122769418756","306196123157583984374424451218656751827","144736080548638912673426995235414810295","98087446916703697762879769665415488591","218819539977279485871861530533275995832","32024447173852229240787042447495035321"]},"source":"https://gitlab.freedesktop.org/polkit/polkit@a2bf5c9c83b6ae46cbd5c779d3055bff81ded683","deprecated":false,"signature_version":"v1","id":"CVE-2021-4034-925219d0"},{"source":"https://gitlab.freedesktop.org/polkit/polkit@a2bf5c9c83b6ae46cbd5c779d3055bff81ded683","signature_version":"v1","signature_type":"Function","target":{"file":"src/programs/pkcheck.c","function":"main"},"deprecated":false,"digest":{"length":5706,"function_hash":"48916128638231852043721993153747674346"},"id":"CVE-2021-4034-bd0a4981"},{"source":"https://gitlab.freedesktop.org/polkit/polkit@a2bf5c9c83b6ae46cbd5c779d3055bff81ded683","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["273856761981597668010333138287779505402","173734811988144302255653828186019334929","215501817520057129252303208780659306627"]},"deprecated":false,"target":{"file":"src/programs/pkcheck.c"},"id":"CVE-2021-4034-e0984eb7"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"20.04"}]},{"events":[{"introduced":"0"},{"last_affected":"21.10"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0-sp2"}]},{"events":[{"introduced":"0"},{"last_affected":"4.1"}]},{"events":[{"introduced":"0"},{"last_affected":"4.1"}]},{"events":[{"introduced":"0"},{"last_affected":"15-sp2"}]},{"events":[{"introduced":"0"},{"last_affected":"15-sp2"}]},{"events":[{"introduced":"0"},{"last_affected":"15-sp2"}]},{"events":[{"introduced":"0"},{"last_affected":"12-sp5"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]},{"events":[{"introduced":"0"},{"fixed":"3.3.0"}]},{"events":[{"introduced":"0"},{"fixed":"2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.0-update3_build5871"}]},{"events":[{"introduced":"0"},{"last_affected":"v8-build14338"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}