Debian 11 Bullseye PolicyKit-1 Denial of Service Notice DLA-4553-1
debian lts
April 29, 2026
Multiple vulnerabilities where identified in polkit, a toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes
Summary
CVE-2021-4115
Kevin Backhouse of GitHub Security Lab (GHSL) found that there is a
file descriptor leak in polkit, which can enable an unprivileged
user to cause polkit to crash, due to file descriptor exhaustion.
This could lead to currently ongoing authentication attempts to fail
to authenticate resulting in a Denial of Service (DoS).
CVE-2026-4897
Pavel Kohout, Aisle Research found that a local user provide a specially
crafted, excessively long input to the `polkit-agent-helper-1` setuid binary
via standard input (stdin).
This unbounded input can lead to an out-of-memory (OOM) condition,
resulting in a Denial of Service (DoS) for the system.
For Debian 11 bullseye, these problems have been fixed in version
0.105-31+deb11u2.
We recommend that you upgrade your policykit-1 packages.
For the detailed security status of policykit-1 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/policykit-1
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: policykit-1
Version: 0.105-31+deb11u2
CVE ID: CVE-2021-4115 CVE-2026-4897
Debian Bug: 1005784 1132234
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!