Fluid Attacks Database

Description

A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the polkit-agent-helper-1 setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	policykit-1	=0.105-31 \|\| =0.105-31+deb11u1 \|\| >=0 <0.105-31+deb11u2	0.105-31+deb11u2
rpm rhel7	polkit	-	-
rpm rhel8	polkit	-	-
rpm rhel6	polkit	-	-
rpm rhel9	polkit	-	-
debian 13	policykit-1	=126-2 \|\| =127-1 \|\| =127-2 \|\| =127-3	-
debian 12	policykit-1	=122-3 \|\| =122-4 \|\| =123-1 \|\| =123-2 \|\| =123-3 \|\| =124-1 \|\| =124-2 \|\| =124-3 \|\| =125-1 \|\| =125-2 \|\| =126-1 \|\| =126-2 \|\| =127-1 \|\| =127-2 \|\| =127-3	-
debian 14	policykit-1	=126-2 \|\| =127-1 \|\| =127-2 \|\| >=0 <127-3	127-3
rpm rhel10	polkit	-	-

Aliases

1. CVE-2026-48972. NVD-2026-48973. OSV-DEBIAN-2026-48974. OSV-2026-48975. SECURITY-TRACKER-CVE-2026-4897

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.