CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 9 min read

CVE-2021-4034: PwnKit Polkit Vulnerability Explained, Root Access on Every Linux System for 12 Years

A heap buffer overflow in pkexec present in every polkit version since 2009. Any local unprivileged user becomes root. No race condition, no logs in standard auth.log, and confirmed working exploits on Ubuntu 20.04, Debian 11, and Fedora 34 default installations.

7.8
CVSS Score
12 Years
In Codebase
All Major
Linux Distros
No Logs
In auth.log

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2021-4034, named PwnKit by Qualys, is an out-of-bounds write vulnerability in pkexec, a SUID-root binary installed as part of the polkit (PolicyKit) privilege management framework. polkit is the default policy engine for privilege management on virtually every major Linux desktop and server distribution. pkexec has been part of polkit since its initial commit in May 2009, making CVE-2021-4034 a 12-year-old vulnerability affecting every Linux system deployed in that period.

Qualys disclosed the vulnerability January 25, 2022 and confirmed working exploits on Ubuntu 20.04, Ubuntu 21.10, Debian 11, Fedora 34, and CentOS 8 default installations. The exploit is particularly notable because it produces no entries in /var/log/auth.log or standard syslog, making detection through conventional log analysis impossible without specific auditd or EDR tooling.

How PwnKit Achieves Root via argv/envp Memory Confusion

pkexec is a SUID-root binary that processes its command-line arguments (argc/argv) to determine which program to execute with elevated privileges. The vulnerability is in how pkexec handles the case where argc is 0 or argv is effectively empty. When a process is invoked with an empty argv array, pkexec reads argv[1], which is out of bounds. The memory adjacent to argv[] in a process's memory layout is envp[] (the environment variable array). So pkexec reads from envp[] as if it were argv[].

Through carefully crafted environment variable layout, the attacker causes pkexec to write an unsanitized path value from the out-of-bounds argv[1] read back into envp[], effectively inserting an attacker-controlled environment variable. The inserted variable is GCONV_PATH=., which overrides the system gconv library search path. pkexec, still running as SUID root, subsequently calls a locale function that loads a gconv shared library from the current directory, where the attacker has placed a malicious library. The library executes arbitrary code as root.

1

Prepare exploit environment

Create a directory named 'GCONV_PATH=.' and place a malicious shared library inside it. Set up the environment variable layout so that pkexec's out-of-bounds write inserts GCONV_PATH=. into the process environment.

2

Invoke pkexec with empty argv

Execute pkexec with argc=0 by using execve() directly with a null argv array. This bypasses the normal command-line handling and triggers the out-of-bounds argv[1] read.

3

Out-of-bounds write inserts GCONV_PATH

pkexec reads from envp[] (adjacent to argv[]) as argv[1], then writes the value back into envp[] after path normalization, injecting GCONV_PATH=. into the environment of the still-running SUID root process.

4

pkexec loads attacker's shared library as root

pkexec calls setlocale() or a related locale function. The gconv module loader searches GCONV_PATH=. (the current directory), finds the attacker's library, and loads it. The library's constructor function executes as root.

12-Year Presence and Detection Challenges

The vulnerable code was present from polkit's initial public release in 2009. Every distribution-shipped version of pkexec across 12 years was affected. Qualys noted that similar vulnerable patterns exist in other SUID binaries that perform the same argc=0 handling, making PwnKit potentially a vulnerability class rather than an isolated flaw.

The detection challenge is significant. Standard authentication logging in /var/log/auth.log and syslog captures nothing from the exploit path, the vulnerable code runs before pkexec's authentication and audit logic. Detection requires either: auditd rules monitoring the specific execve() and open() syscall patterns used by the exploit, EDR solutions performing memory behavior analysis, or filesystem monitoring alerting on writes to directories named GCONV_PATH=. or the presence of attacker staging files in /tmp/ and /dev/shm/.

This vulnerability is an easy-to-exploit, reliable, single-user-required, no-race-condition LPE in the default configuration of Ubuntu, Debian, Fedora, and CentOS. It has been hiding in plain sight for 12+ years.

Qualys Security Advisory, CVE-2021-4034, January 2022
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Patching and Mitigating CVE-2021-4034

All major distributions released patched polkit packages on January 25–26, 2022, the same day Qualys published the advisory. Apply the update immediately.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

PwnKit illustrates a category of vulnerability that is particularly damaging: a flaw in a universally deployed security component that has been present for over a decade, is trivially exploitable by any local user, and leaves no conventional log traces. The polkit framework exists to mediate privilege, a vulnerability allowing privilege bypass in the privilege mediator itself represents a fundamental failure of the security model.

For defenders: patching is the only complete mitigation. The absence of auth.log entries means you cannot rely on conventional SIEM alerting to detect exploitation. Organizations that have not patched should assume that any threat actor with any local foothold on any Linux host has already evaluated this path to root.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2021-4034 (PwnKit)?

PwnKit is an out-of-bounds write in pkexec, the SUID-root polkit binary. When invoked with an empty argv, pkexec reads and writes out-of-bounds into the environment variable array (envp), allowing an attacker to introduce a malicious GCONV_PATH variable that causes pkexec to load an attacker-controlled shared library as root.

Does PwnKit require any privileges?

No. The exploit requires only a local user account, any account, regardless of group memberships, sudo permissions, or pkexec policy rules. The vulnerable code runs before pkexec checks whether the invoking user has any permissions.

Why does PwnKit not appear in auth.log?

The exploit reaches the vulnerability before pkexec's authentication and audit logging code runs. Standard syslog and /var/log/auth.log do not capture the exploit attempt. Detection requires auditd rules targeting the specific syscall patterns or EDR solutions with memory behavior monitoring.

How do I patch CVE-2021-4034?

Update the polkit package via your package manager: Ubuntu/Debian: apt-get update && apt-get install policykit-1. RHEL/CentOS: dnf update polkit. Fedora: dnf update polkit. Patches were released January 25–26, 2022 by all major distributions.

Can I mitigate PwnKit without patching?

As a temporary mitigation, remove the SUID bit from pkexec: chmod 0755 /usr/bin/pkexec. This breaks GUI applications that use pkexec for privilege prompts. Restore the SUID bit immediately after patching: chmod 4755 /usr/bin/pkexec. This mitigation does not fix the vulnerability, it only removes the attack surface.

How does the GCONV_PATH technique give PwnKit root access?

pkexec has an off-by-one error in argument parsing that allows it to read environment variable values as if they were arguments, then write a crafted path back into the environment. The exploit injects GCONV_PATH pointing to a directory with a malicious shared library and sets GIO_USE_VFS to trigger glibc's iconv to load that library during pkexec's startup. Because pkexec is SUID root, the malicious library loads with root privileges before pkexec's own access checks run, granting the attacker a root shell.

Sources & references

  1. NVD
  2. Qualys Security Advisory
  3. Red Hat Security Advisory

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.