CVE-2026-4105 is a vulnerability identified in the systemd-machined service component of Red Hat Enterprise Linux 10. The flaw stems from improper access control due to insufficient validation of the 'class' parameter in the RegisterMachine method exposed via D-Bus, a common interprocess communication system on Linux. Specifically, a local unprivileged user can exploit this by registering a machine with a specially crafted class value, which results in the creation of a machine object controlled by the attacker. This malicious object can then be used to invoke privileged methods on the systemd-machined service, effectively allowing the attacker to execute arbitrary commands with root-level privileges on the host system. The vulnerability requires local access and user interaction, as the attacker must invoke the RegisterMachine method with the crafted parameter. The CVSS v3.1 base score is 6.7, reflecting medium severity, with high impact on confidentiality, integrity, and availability if exploited. The attack complexity is high due to the need for local access and specific parameter manipulation. No public exploits or widespread attacks have been reported to date. The vulnerability highlights a critical flaw in access control validation within a core system service that manages container and virtual machine lifecycle, making it a significant risk in environments where multiple users have local access or where untrusted users can gain shell access.

If exploited, this vulnerability allows a local unprivileged user to escalate privileges to root, compromising the entire system. This could lead to full system takeover, unauthorized data access, modification, or destruction, and disruption of services. In multi-tenant or shared environments, such as cloud or container hosts running RHEL 10, this could enable attackers to break isolation boundaries, impacting other tenants or workloads. The ability to execute arbitrary commands as root also facilitates installation of persistent backdoors, lateral movement, and further exploitation within an organization's network. Although exploitation requires local access, the severity of impact on confidentiality, integrity, and availability is high. Organizations relying on RHEL 10 for critical infrastructure, servers, or desktops are at risk of significant operational and security consequences if this vulnerability is exploited.

Organizations should monitor Red Hat advisories closely and apply official patches or updates for systemd-machined as soon as they become available. Until patches are deployed, restrict local user access to trusted personnel only and enforce strict user privilege separation. Disable or limit D-Bus access to systemd-machined where possible, using access control policies to prevent unprivileged users from invoking RegisterMachine or related methods. Employ mandatory access control frameworks such as SELinux or AppArmor to confine systemd-machined and reduce the impact of potential exploits. Regularly audit local user accounts and remove unnecessary accounts or privileges. Implement comprehensive logging and monitoring of D-Bus calls and systemd-machined activity to detect suspicious attempts to register machines with unusual class parameters. Consider network segmentation and endpoint protection to limit the ability of attackers to gain local access in the first place.