update: systemd

[dongsupark]

Name: systemd
CVEs: CVE-2026-40223, CVE-2026-40225, CVE-2026-40226
CVSSs: 4.7, 6.4, 6.4
Action Needed:

• CVE-2026-40223: update to >= 260 or 259.2 or 258.5
• CVE-2026-40225: update to >= 260 or 259.5 or 258.7
• CVE-2026-40226: update to >= 260 or 259.4 or 258.6

Summary:

• CVE-2026-40223: In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and User= unit exists and is running.
  • https://bugzilla.redhat.com/show_bug.cgi?id=2457318
• CVE-2026-40225: In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.
  • https://bugzilla.redhat.com/show_bug.cgi?id=2457324
• CVE-2026-40226: In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.
  • https://bugzilla.redhat.com/show_bug.cgi?id=2457326

refmap.gentoo: TBD

[dongsupark]

@krnowak Sorry for confusion.
Removed CVE-2026-4105, because that affects only systemd 259, while Flatcar has only systemd 258.

On the other hand, added CVE-2026-40223, CVE-2026-40225, CVE-2026-40226. Those affect systemd 258 as well.

[krnowak]

Thanks for heads-up, will update the changelog. The current update will address only two of the CVEs, though.