CVE-2026-4897 MEDIUM

CVE-2026-4897: Polkit: polkit: denial of service via unbounded input processing through standard input

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Weakness CWE-770 · Uncontrolled resource consumption
Published March 26, 2026
Last update March 30, 2026

CVSS base score

5.5/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.

Key dates

02Disclosure timeline

March 26, 2026 CVE published
March 30, 2026 Record updated