CVE-2021-3997

Publication date 10 January 2022

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
systemd	21.10 impish	Fixed 248.3-1ubuntu8.2
	21.04 hirsute	Fixed 247.3-3ubuntu3.7
	20.04 LTS focal	Fixed 245.4-4ubuntu3.15
	18.04 LTS bionic	Ignored end of standard support
	16.04 LTS xenial	Ignored end of ESM support, was ignored [cannot be exploited]
	14.04 LTS trusty	Ignored end of ESM support, was ignored [cannot be exploited]

Notes

alexmurray

This vulnerability does not appear to be exploitable for systemd versions before v242 (ie before commit e535840) and onwards hence this is not possible to be exploited on Ubuntu 18.04 LTS and earlier.

Severity score breakdown

CVSS version: CVSS v3.0

Base score 5.5 · Medium

Base metrics

Parameter	Value
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality impact	None
Integrity impact	None
Availability impact	High

Scores

Parameter	Value
Base score	5.5 · Medium
Exploitability score	-
Impact score	-

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Related Ubuntu Security Notices (USN)

USN-5226-1
systemd vulnerability
13 January 2022

Other references

https://www.cve.org/CVERecord?id=CVE-2021-3997