The vulnerability CVE-2026-4105 affects the systemd-machined service in Red Hat Hardened Images due to improper access control. Specifically, the RegisterMachine D-Bus method does not sufficiently validate the class parameter, allowing a local unprivileged user to register a machine with a malicious class value. This can result in the creation of an attacker-controlled machine object that enables invoking privileged methods, ultimately allowing execution of arbitrary commands with root privileges. The CVSS 3.1 vector is AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H, reflecting local attack vector, high attack complexity, low privileges required, user interaction required, unchanged scope, and high impact on confidentiality, integrity, and availability. Red Hat has issued advisories referencing this CVE but the provided content does not explicitly state that a patch or official fix is available.

Successful exploitation allows a local unprivileged user to execute arbitrary commands with root privileges on the affected host system. This compromises system confidentiality, integrity, and availability. There are no known exploits in the wild currently. The vulnerability is rated medium severity with a CVSS score of 6.7.

The vendor advisory does not explicitly confirm the availability of a patch or official fix for this vulnerability. Therefore, patch status is not yet confirmed — check the Red Hat advisories at https://access.redhat.com/security/cve/CVE-2026-4105 and https://access.redhat.com/errata/RHSA-2026:7299 for current remediation guidance. Until a fix is confirmed and applied, restrict local unprivileged user access where possible and monitor for unusual activity related to systemd-machined. Follow Red Hat's official guidance for updates and mitigation.