CVE-2021-4034

Polkit pkexec 'PwnKit' — Out-of-Bounds Write in Argument Handling Permits Root Escalation on Every Major Linux Distribution
⚠️ CVSS 3.1  7.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on June 27, 2022 with a remediation deadline of July 18, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2021-4034, nicknamed "PwnKit" by Qualys, is a local privilege escalation vulnerability in pkexec, the setuid-root command-line utility included with polkit (PolicyKit) on virtually every major Linux distribution. The flaw allows any unprivileged local user — with no sudo privileges and no special group membership — to gain a root shell by exploiting an out-of-bounds write in how pkexec processes its argument list. The vulnerability was present from pkexec's first public commit in May 2009, making it over 12 years old at time of disclosure.

What Is polkit?

Polkit (formerly PolicyKit) is a system-level authorization framework installed by default on almost every Linux desktop and server distribution — Ubuntu, Debian, RHEL, CentOS, Fedora, SUSE, Arch, and others. It provides a controlled mechanism for unprivileged processes to communicate with privileged ones, without requiring full sudo access. pkexec is the command-line tool that allows an authorized user to execute a command as another user, controlled by polkit policy rules.

Because polkit is so widely deployed and pkexec runs setuid root, a vulnerability in it affects essentially the entire Linux ecosystem simultaneously.

Affected Versions

The vulnerability was introduced in the first public commit of pkexec in May 2009 (polkit 0.96) and affects all versions through polkit 0.119.

Distribution Vulnerable Fixed Version / Advisory
Ubuntu 14.04 – 21.10 Yes USN-5252-1
Debian 9 / 10 / 11 Yes DSA-5059-1
RHEL 6 / 7 / 8 Yes RHSA-2022:0267 / RHSA-2022:0274
Fedora 34 / 35 Yes FEDORA-2022-76c7009dac
SUSE Linux Enterprise Yes SUSE-SU-2022:0178-1
CentOS / AlmaLinux / Rocky Yes See upstream RHEL advisory
polkit upstream 0.96 – 0.119 polkit 0.120

Technical Details

Root Cause: argv/envp Boundary Confusion

pkexec expects to be invoked with at least one argument — its own program name in argv[0]. The vulnerability occurs when pkexec is called with an empty argument list (argc == 0, possible by calling execve() directly without arguments).

In this case, pkexec attempts to read argv[1] to process options — but when argc == 0, argv[1] lies past the end of the argument array and into the environment variable array (envp). The C runtime places argv and envp in adjacent memory: argv[argc+1] is envp[0].

The critical code path:

  1. pkexec reads argv[1] (which is actually envp[0]), interpreting it as the path to the binary to execute.
  2. It rewrites that value in memory with a re-evaluated path.
  3. This write lands at envp[0], corrupting the first environment variable.
  4. By crafting the environment to place a malicious variable at envp[0], an attacker can inject an arbitrary environment variable into the root-context process before it is sanitized.
  5. The injected variable (e.g., GCONV_PATH=.) causes the setuid-root pkexec to load an attacker-controlled shared library, executing code as root.

Attack Characteristics

Attribute Detail
Attack Vector Local — requires an existing user session
Privileges Required None — any unprivileged account
sudoers Entry Required No
Special Group Membership No
Race Condition Required No — fully deterministic
Kernel Version Dependency None — exploits a userspace binary
Impact Full root on host

Unlike most Linux LPEs, PwnKit targets a setuid userspace binary rather than the kernel. This means:

  • It works regardless of kernel version — patching the kernel does not protect against it.
  • It works on systems hardened with KSPP kernel options.
  • A working public exploit was published hours after disclosure and confirmed on Ubuntu, Debian, RHEL, and Fedora.

Discovery

The Qualys Research Team discovered the vulnerability during a routine internal code audit of Linux system components. After confirming exploitability across multiple distributions, Qualys coordinated disclosure with Red Hat Product Security and major distribution vendors, achieving a synchronized patch release on January 25, 2022 — the same day as public disclosure. Qualys published a technical advisory with full exploitation details and confirmed working root shells on Ubuntu 20.04, Ubuntu 21.04, Debian 11, and Fedora 35.

Exploitation Context

PwnKit was immediately exploited in the wild following disclosure, with a public PoC available within hours. The straightforward, reliable nature of the exploit — no race condition, no kernel dependency, deterministic result — made it accessible to less sophisticated threat actors quickly.

  • Distribution: Every major Linux distribution was affected simultaneously; the ubiquity of polkit meant no safe harbor for unpatched systems
  • KEV listing: CISA added it to the KEV catalog June 27, 2022 — over five months after disclosure — confirming sustained exploitation activity
  • Persistence: Systems with slow patch cycles (embedded Linux, aging enterprise servers) remained exposed for months or years
  • Jump server relevance: pkexec runs setuid root on virtually every Linux bastion/jump host; an attacker with any shell access can escalate to root regardless of how the SSH daemon is configured

Remediation

CISA BOD 22-01 Deadline: July 18, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Recommended Actions

  1. Update polkit to version 0.120 or later, or apply your distribution's security errata. Verify the installed version with pkexec --version.

  2. Apply distribution patches:

    • Ubuntu: apt update && apt upgrade policykit-1
    • RHEL/CentOS: yum update polkit
    • Debian: apt update && apt upgrade policykit-1

  3. Workaround if immediate patching is not possible: Remove the setuid bit from pkexec:

    chmod 0755 /usr/bin/pkexec

    This breaks pkexec functionality but eliminates the privilege escalation path.

  4. Audit exposed systems: Any Linux server that received an interactive login from an untrusted user between May 2009 and January 25, 2022 should be treated as potentially compromised. PwnKit leaves minimal forensic traces.

Key Details

PropertyValue
CVE ID CVE-2021-4034
Vendor / Product Red Hat — Polkit
NVD Published2022-01-28
NVD Last Modified2025-11-06
CVSS 3.1 Score7.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-787 — Out-of-bounds Write
CISA KEV Added2022-06-27
CISA KEV Deadline2022-07-18
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-07-18. Apply updates per vendor instructions.

Timeline

DateEvent
2009-05-27Vulnerability introduced in first public commit of pkexec
2021-11-18Qualys Research Team discovers the vulnerability during internal audit
2022-01-11Qualys notifies Red Hat Product Security and coordinates disclosure
2022-01-25Coordinated public disclosure; polkit 0.120 released with fix; Qualys advisory published
2022-01-28CVE-2021-4034 published in NVD
2022-06-27Added to CISA Known Exploited Vulnerabilities catalog
2022-07-18CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2021-4034 Vulnerability Database
CISA KEV Catalog Entry US Government
Qualys Security Advisory — PwnKit: Local Privilege Escalation in polkit's pkexec Security Research
Red Hat Security Advisory — CVE-2021-4034 Vendor Advisory
Ubuntu Security — CVE-2021-4034 Vendor Advisory
CVE-2021-4034 Public PoC (berdav) Security Research
CWE-787 — Out-of-bounds Write Weakness Classification

Last updated: 2026-05-04

Gavin Hollinger & AI assembled this air-gap friendly HTML