CVE-2016-10156 in systemd
Summary
by MITRE
A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd timers features, allowing local attackers to escalate their privileges to root. This is fixed in v229.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/14/2026
The vulnerability identified as CVE-2016-10156 represents a critical privilege escalation flaw within the systemd init system version 228, specifically affecting the file system utility functions in the source code file /src/basic/fs-util.c. This issue arises from the improper handling of file permissions during the creation of suid (set user ID) files when utilizing systemd timer features, creating a dangerous condition where world-writable suid files can be generated with elevated privileges. The flaw demonstrates a fundamental failure in the permission management system, allowing local attackers to exploit this weakness and gain root access to the compromised system.
The technical root cause of this vulnerability stems from the insufficient validation of file permissions during the creation of suid files within the systemd timer implementation. When systemd processes timer configurations, it creates temporary files that should normally be protected with restrictive permissions to prevent unauthorized modification. However, the flaw in fs-util.c allows these files to be created with world-writable permissions, violating the principle of least privilege and creating an exploitable condition. This issue directly maps to CWE-732: Incorrect Permission Assignment for Critical Resource, which addresses the assignment of incorrect permissions to security-critical resources. The vulnerability specifically affects the systemd timer subsystem, which is a core component of the systemd service manager responsible for scheduling and executing automated tasks.
The operational impact of this vulnerability is severe and far-reaching, as it provides local attackers with a straightforward path to privilege escalation from user-level access to root privileges. Attackers can exploit this condition by creating malicious timer files that, when executed, leverage the world-writable suid files to gain elevated system access. This allows for complete system compromise, enabling unauthorized users to execute arbitrary code with root privileges, modify system files, install malware, or establish persistent backdoors. The vulnerability affects systems running systemd version 228 and earlier, making it particularly concerning given the widespread adoption of systemd across modern Linux distributions including Ubuntu, Debian, Fedora, and CentOS. The exploitability of this vulnerability is high since it requires no special privileges beyond local user access and can be automated through standard system administration tools.
System administrators and security professionals should immediately update affected systems to systemd version 229 or later, which contains the necessary patches to address this vulnerability. The fix implemented in version 229 corrects the file permission handling in fs-util.c to ensure that suid files are created with proper restrictive permissions, eliminating the possibility of world-writable suid files being generated. Additional mitigations include conducting comprehensive system audits to identify and remove any existing world-writable suid files that may have been created prior to patching, implementing proper file system monitoring to detect unauthorized permission changes, and ensuring that systemd timer configurations follow strict security guidelines. Organizations should also consider implementing the principle of least privilege for timer configurations and regularly reviewing system logs for suspicious activity related to systemd timer execution. This vulnerability highlights the critical importance of proper permission management in system-level components and demonstrates how flaws in init systems can provide attackers with direct paths to complete system compromise, aligning with ATT&CK technique T1068: Exploitation for Privilege Escalation.