CVE-2018-20839

Publication date 17 May 2019

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
systemd	22.04 LTS jammy	Not affected
	21.10 impish	Not affected
	21.04 hirsute	Not affected
	20.10 groovy	Not affected
	20.04 LTS focal	Not affected
	19.10 eoan	Ignored end of life
	19.04 disco	Ignored end of life
	18.10 cosmic	Ignored end of life
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not affected

Notes

seth-arnold

Possible regression when running startx manually

mdeslaur

commit was reverted in (240-6ubuntu7) possibly a bug in plymouth, not systemd as of 2021-04-12, we can no longer reproduce this issue with all updates applied. I am therefore marking this CVE as not affecting systemd and closing it out. This was possibly fixed by the plymouth change in bug 1817738.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
systemd	Upstream: 9725f1a Upstream: bb5ac84 Upstream: 13a43c7

Severity score breakdown

Parameter	Value
Base score	4.3 · Medium
Attack vector	Physical
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N