{"id":"CVE-2021-4034","details":"A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.","modified":"2026-05-18T20:49:56.262944Z","published":"2022-01-28T20:15:12.193Z","related":["ALSA-2022:0267","SUSE-SU-2022:0189-1","SUSE-SU-2022:0190-1","SUSE-SU-2022:0191-1","openSUSE-SU-2022:0190-1","openSUSE-SU-2024:11780-1"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"canonical:ubuntu_linux","extracted_events":[{"last_affected":"14.04"},{"last_affected":"16.04"},{"last_affected":"18.04"},{"last_affected":"20.04"},{"last_affected":"21.10"}]},{"cpes":["cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:http_server","extracted_events":[{"last_affected":"12.2.1.3.0"},{"last_affected":"12.2.1.4.0"}]},{"cpes":["cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"oracle:zfs_storage_appliance_kit","extracted_events":[{"last_affected":"8.8"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux","extracted_events":[{"last_affected":"8.0"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_desktop","extracted_events":[{"last_affected":"7.0"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_eus","extracted_events":[{"last_affected":"8.2"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_for_ibm_z_systems","extracted_events":[{"last_affected":"7.0"},{"last_affected":"8.0"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.2:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_for_ibm_z_systems_eus","extracted_events":[{"last_affected":"8.2"},{"last_affected":"8.4"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_for_power_big_endian","extracted_events":[{"last_affected":"7.0"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_for_power_little_endian","extracted_events":[{"last_affected":"7.0"},{"last_affected":"8.0"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.1:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.2:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_for_power_little_endian_eus","extracted_events":[{"last_affected":"8.1"},{"last_affected":"8.2"},{"last_affected":"8.4"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_for_scientific_computing","extracted_events":[{"last_affected":"7.0"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_server","extracted_events":[{"last_affected":"6.0"},{"last_affected":"7.0"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_server_aus","extracted_events":[{"last_affected":"7.3"},{"last_affected":"7.4"},{"last_affected":"7.6"},{"last_affected":"7.7"},{"last_affected":"8.2"},{"last_affected":"8.4"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_server_eus:8.4:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_server_eus","extracted_events":[{"last_affected":"8.4"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_server_tus","extracted_events":[{"last_affected":"7.6"},{"last_affected":"7.7"},{"last_affected":"8.2"},{"last_affected":"8.4"}]},{"cpes":["cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.6:*:*:*:*:*:*:*","cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.7:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.1:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_server_update_services_for_sap_solutions","extracted_events":[{"last_affected":"7.6"},{"last_affected":"7.7"},{"last_affected":"8.1"},{"last_affected":"8.2"},{"last_affected":"8.4"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_workstation","extracted_events":[{"last_affected":"7.0"}]},{"cpes":["cpe:2.3:o:siemens:scalance_lpe9403_firmware:*:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"siemens:scalance_lpe9403_firmware","extracted_events":[{"fixed":"2.0"}]},{"cpes":["cpe:2.3:a:siemens:sinumerik_edge:*:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"siemens:sinumerik_edge","extracted_events":[{"fixed":"3.3.0"}]},{"cpes":["cpe:2.3:a:starwindsoftware:command_center:1.0:update3_build5871:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"starwindsoftware:command_center","extracted_events":[{"last_affected":"1.0-update3_build5871"}]},{"cpes":["cpe:2.3:a:starwindsoftware:starwind_virtual_san:v8:build14338:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"starwindsoftware:starwind_virtual_san","extracted_events":[{"last_affected":"v8-build14338"}]},{"cpes":["cpe:2.3:a:suse:enterprise_storage:7.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"suse:enterprise_storage","extracted_events":[{"last_affected":"7.0"}]},{"cpes":["cpe:2.3:o:suse:linux_enterprise_desktop:15:sp2:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"suse:linux_enterprise_desktop","extracted_events":[{"last_affected":"15-sp2"}]},{"cpes":["cpe:2.3:a:suse:linux_enterprise_high_performance_computing:15.0:sp2:*:*:-:*:*:*"],"source":"CPE_FIELD","vendor_product":"suse:linux_enterprise_high_performance_computing","extracted_events":[{"last_affected":"15.0-sp2"}]},{"cpes":["cpe:2.3:o:suse:linux_enterprise_server:15:sp2:*:*:*:-:*:*","cpe:2.3:o:suse:linux_enterprise_server:15:sp2:*:*:*:sap:*:*"],"source":"CPE_FIELD","vendor_product":"suse:linux_enterprise_server","extracted_events":[{"last_affected":"15-sp2"},{"last_affected":"15-sp2"}]},{"cpes":["cpe:2.3:o:suse:linux_enterprise_workstation_extension:12:sp5:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"suse:linux_enterprise_workstation_extension","extracted_events":[{"last_affected":"12-sp5"}]},{"cpes":["cpe:2.3:a:suse:manager_proxy:4.1:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"suse:manager_proxy","extracted_events":[{"last_affected":"4.1"}]},{"cpes":["cpe:2.3:a:suse:manager_server:4.1:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"suse:manager_server","extracted_events":[{"last_affected":"4.1"}]}]},"references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-4034"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html"},{"type":"ADVISORY","url":"https://access.redhat.com/security/vulnerabilities/RHSB-2022-001"},{"type":"ADVISORY","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-330556.pdf"},{"type":"ADVISORY","url":"https://www.starwindsoftware.com/security/sw-20220818-0001/"},{"type":"ADVISORY","url":"https://www.suse.com/support/kb/doc/?id=000020564"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2025869"},{"type":"FIX","url":"https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html"},{"type":"EVIDENCE","url":"https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt"},{"type":"EVIDENCE","url":"https://www.secpod.com/blog/local-privilege-escalation-vulnerability-in-major-linux-distributions-cve-2021-4034/"},{"type":"EVIDENCE","url":"https://www.vicarius.io/vsociety/posts/pwnkit-pkexec-lpe-cve-2021-4034"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.freedesktop.org/polkit/polkit","events":[{"introduced":"0"},{"fixed":"827b0ddac5b1ef00a47fca4526fcf057bee5f1db"},{"fixed":"a2bf5c9c83b6ae46cbd5c779d3055bff81ded683"}],"database_specific":{"cpe":"cpe:2.3:a:polkit_project:polkit:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"121"}]}}],"versions":["0.120","0.119","0.118","0.117","0.116","0.115","0.114","0.113","0.112","0.111","0.110","0.109","0.108","0.107","0.106","0.105","0.104","0.103","0.102","0.96","0.101","0.100","0.99","0.98","0.97","0.95","0.94","0.93","0.92","0.91","POLICY_KIT_0_9","POLICY_KIT_0_8","POLICY_KIT_0_7","POLICY_KIT_0_6","POLICY_KIT_0_5","POLICY_KIT_0_4","POLICY_KIT_0_3","start"],"database_specific":{"vanir_signatures":[{"source":"https://gitlab.freedesktop.org/polkit/polkit@a2bf5c9c83b6ae46cbd5c779d3055bff81ded683","id":"CVE-2021-4034-314cbecc","deprecated":false,"signature_version":"v1","digest":{"function_hash":"32570418561053402702943127759871466400","length":9742},"target":{"function":"main","file":"src/programs/pkexec.c"},"signature_type":"Function"},{"source":"https://gitlab.freedesktop.org/polkit/polkit@a2bf5c9c83b6ae46cbd5c779d3055bff81ded683","id":"CVE-2021-4034-925219d0","deprecated":false,"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["213998750295636857179079909536485960320","278734282904971204434169771972003805228","19650700869071089274018684711323071243","168828756042991529351455686026289160629","40690998152194075775332422815916804684","13939387846029825278873453783023749278","252652119165071349920865803595180110656","70320173189091660192941128994028468583","107583928421380347849317833122769418756","306196123157583984374424451218656751827","144736080548638912673426995235414810295","98087446916703697762879769665415488591","218819539977279485871861530533275995832","32024447173852229240787042447495035321"]},"target":{"file":"src/programs/pkexec.c"},"signature_type":"Line"},{"source":"https://gitlab.freedesktop.org/polkit/polkit@a2bf5c9c83b6ae46cbd5c779d3055bff81ded683","id":"CVE-2021-4034-bd0a4981","deprecated":false,"signature_version":"v1","digest":{"function_hash":"48916128638231852043721993153747674346","length":5706},"target":{"function":"main","file":"src/programs/pkcheck.c"},"signature_type":"Function"},{"source":"https://gitlab.freedesktop.org/polkit/polkit@a2bf5c9c83b6ae46cbd5c779d3055bff81ded683","id":"CVE-2021-4034-e0984eb7","deprecated":false,"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["273856761981597668010333138287779505402","173734811988144302255653828186019334929","215501817520057129252303208780659306627"]},"target":{"file":"src/programs/pkcheck.c"},"signature_type":"Line"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-4034.json","vanir_signatures_modified":"2026-05-18T20:49:56Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}