{"id":"CVE-2026-40226","details":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","aliases":["GHSA-9mj4-rrc3-gjcx"],"modified":"2026-07-08T08:05:09.574769179Z","published":"2026-04-10T15:18:10.447Z","related":["CGA-f3qf-9gvm-gv5c"],"database_specific":{"cwe_ids":["CWE-348"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40226.json","cna_assigner":"mitre"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40226.json"},{"type":"ADVISORY","url":"https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40226"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/systemd/systemd","events":[{"introduced":"d60c527009133a1ed3d69c14b8c837c790e78d10"},{"fixed":"97f0cb09e1dd861e9039eb2b189811e8232b492f"},{"introduced":"781d9d0789379d1ea1f2ecefb804d41e9c8b6c38"},{"fixed":"687eb73f1a0f442240d114f029c80b6db1a3af48"},{"introduced":"9ca433482f2281d71718718705ca8cd3bf562ad6"},{"fixed":"ca088a7f89030fced26ee8121c6b587a7e8856c7"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:systemd_project:systemd:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"233"},{"fixed":"257.12"},{"introduced":"258"},{"fixed":"258.6"},{"introduced":"259"},{"fixed":"259.4"}]}}],"versions":["v258.5","v257.11","v259.3","v259.2","v258.4","v259.1","v259","v258.3","v257.10","v258.2","v258.1","v257.9","v258","v257.8","v257.7","v257.6","v257.5","v257.4","v257.3","v257.2","v257.1","v257","v257-rc3","v257-rc2","v257-rc1","v256","v256-rc4","v256-rc3","v256-rc2","v256-rc1","v255","v255-rc4","v255-rc3","v255-rc2","v255-rc1","v254","v254-rc3","v254-rc2","v254-rc1","v253","v252","v253-rc3","v253-rc2","v253-rc1","v252-rc3","v252-rc2","v252-rc1","v251","v251-rc3","v251-rc2","v251-rc1","v250","v250-rc3","v250-rc2","v250-rc1","v249","v249-rc3","v249-rc2","v249-rc1","v248-2","v248","v248-rc4","v248-rc3","v248-rc2","v248-rc1","v247","v247-rc2","v247-rc1","v246","v246-rc2","v246-rc1","v245","v245-rc2","v245-rc1","v244","v244-rc1","v243","v243-rc2","v243-rc1","v242","v242-rc4","v242-rc3","v242-rc2","v242-rc1","v241","v241-rc2","v241-rc1","v240","v239","v238","v237","v236","v235","v234","v233"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40226.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}