CVE-2021-4034: PwnKit Polkit Vulnerability Explained — Root Access on Every Linux System for 12 Years
A heap buffer overflow in pkexec present in every polkit version since 2009. Any local unprivileged user becomes root. No race condition, no logs in standard auth.log, and confirmed working exploits on Ubuntu 20.04, Debian 11, and Fedora 34 default installations.
CVE-2021-4034, named PwnKit by Qualys, is an out-of-bounds write vulnerability in pkexec — a SUID-root binary installed as part of the polkit (PolicyKit) privilege management framework. polkit is the default policy engine for privilege management on virtually every major Linux desktop and server distribution. pkexec has been part of polkit since its initial commit in May 2009 — making CVE-2021-4034 a 12-year-old vulnerability affecting every Linux system deployed in that period.
Qualys disclosed the vulnerability January 25, 2022 and confirmed working exploits on Ubuntu 20.04, Ubuntu 21.10, Debian 11, Fedora 34, and CentOS 8 default installations. The exploit is particularly notable because it produces no entries in /var/log/auth.log or standard syslog — making detection through conventional log analysis impossible without specific auditd or EDR tooling.
How PwnKit Achieves Root via argv/envp Memory Confusion
pkexec is a SUID-root binary that processes its command-line arguments (argc/argv) to determine which program to execute with elevated privileges. The vulnerability is in how pkexec handles the case where argc is 0 or argv is effectively empty. When a process is invoked with an empty argv array, pkexec reads argv[1] — which is out of bounds. The memory adjacent to argv[] in a process's memory layout is envp[] (the environment variable array). So pkexec reads from envp[] as if it were argv[].
Through carefully crafted environment variable layout, the attacker causes pkexec to write an unsanitized path value from the out-of-bounds argv[1] read back into envp[] — effectively inserting an attacker-controlled environment variable. The inserted variable is GCONV_PATH=., which overrides the system gconv library search path. pkexec, still running as SUID root, subsequently calls a locale function that loads a gconv shared library from the current directory — where the attacker has placed a malicious library. The library executes arbitrary code as root.
Prepare exploit environment
Create a directory named 'GCONV_PATH=.' and place a malicious shared library inside it. Set up the environment variable layout so that pkexec's out-of-bounds write inserts GCONV_PATH=. into the process environment.
Invoke pkexec with empty argv
Execute pkexec with argc=0 by using execve() directly with a null argv array. This bypasses the normal command-line handling and triggers the out-of-bounds argv[1] read.
Out-of-bounds write inserts GCONV_PATH
pkexec reads from envp[] (adjacent to argv[]) as argv[1], then writes the value back into envp[] after path normalization — injecting GCONV_PATH=. into the environment of the still-running SUID root process.
pkexec loads attacker's shared library as root
pkexec calls setlocale() or a related locale function. The gconv module loader searches GCONV_PATH=. (the current directory), finds the attacker's library, and loads it. The library's constructor function executes as root.
12-Year Presence and Detection Challenges
The vulnerable code was present from polkit's initial public release in 2009. Every distribution-shipped version of pkexec across 12 years was affected. Qualys noted that similar vulnerable patterns exist in other SUID binaries that perform the same argc=0 handling — making PwnKit potentially a vulnerability class rather than an isolated flaw.
The detection challenge is significant. Standard authentication logging in /var/log/auth.log and syslog captures nothing from the exploit path — the vulnerable code runs before pkexec's authentication and audit logic. Detection requires either: auditd rules monitoring the specific execve() and open() syscall patterns used by the exploit, EDR solutions performing memory behavior analysis, or filesystem monitoring alerting on writes to directories named GCONV_PATH=. or the presence of attacker staging files in /tmp/ and /dev/shm/.
“This vulnerability is an easy-to-exploit, reliable, single-user-required, no-race-condition LPE in the default configuration of Ubuntu, Debian, Fedora, and CentOS. It has been hiding in plain sight for 12+ years.”
— Qualys Security Advisory, CVE-2021-4034, January 2022
Patching and Mitigating CVE-2021-4034
All major distributions released patched polkit packages on January 25–26, 2022, the same day Qualys published the advisory. Apply the update immediately.
Update polkit via package manager
Ubuntu/Debian: apt-get update && apt-get install policykit-1. RHEL/CentOS: dnf update polkit. Fedora: dnf update polkit. SUSE: zypper update polkit. Arch: pacman -Syu polkit. Verify the installed version confirms it is at or above the patched release for your distribution.
Apply SUID removal as emergency mitigation if patching is delayed
Remove the SUID bit from pkexec with: chmod 0755 /usr/bin/pkexec. This eliminates the attack vector by preventing pkexec from running as root. GUI privilege prompts from software installers and system settings will break until the SUID bit is restored after patching.
Update all container base images
Any container built from Ubuntu, Debian, or RHEL/CentOS base images includes pkexec. Rebuild images with updated bases and redeploy. In container environments where local code execution is achievable, polkit patching is required.
Deploy detection for exploit artifacts
Create auditd rules monitoring execve calls to pkexec followed by writes to directories with GCONV_PATH in the name, or open() calls to shared library files in /tmp/ or /dev/shm/. Alert on root process spawning from pkexec without corresponding GUI interaction.
The bottom line
PwnKit illustrates a category of vulnerability that is particularly damaging: a flaw in a universally deployed security component that has been present for over a decade, is trivially exploitable by any local user, and leaves no conventional log traces. The polkit framework exists to mediate privilege — a vulnerability allowing privilege bypass in the privilege mediator itself represents a fundamental failure of the security model.
For defenders: patching is the only complete mitigation. The absence of auth.log entries means you cannot rely on conventional SIEM alerting to detect exploitation. Organizations that have not patched should assume that any threat actor with any local foothold on any Linux host has already evaluated this path to root.
Frequently asked questions
What is CVE-2021-4034 (PwnKit)?
PwnKit is an out-of-bounds write in pkexec, the SUID-root polkit binary. When invoked with an empty argv, pkexec reads and writes out-of-bounds into the environment variable array (envp), allowing an attacker to introduce a malicious GCONV_PATH variable that causes pkexec to load an attacker-controlled shared library as root.
Does PwnKit require any privileges?
No. The exploit requires only a local user account — any account, regardless of group memberships, sudo permissions, or pkexec policy rules. The vulnerable code runs before pkexec checks whether the invoking user has any permissions.
Why does PwnKit not appear in auth.log?
The exploit reaches the vulnerability before pkexec's authentication and audit logging code runs. Standard syslog and /var/log/auth.log do not capture the exploit attempt. Detection requires auditd rules targeting the specific syscall patterns or EDR solutions with memory behavior monitoring.
How do I patch CVE-2021-4034?
Update the polkit package via your package manager: Ubuntu/Debian: apt-get update && apt-get install policykit-1. RHEL/CentOS: dnf update polkit. Fedora: dnf update polkit. Patches were released January 25–26, 2022 by all major distributions.
Can I mitigate PwnKit without patching?
As a temporary mitigation, remove the SUID bit from pkexec: chmod 0755 /usr/bin/pkexec. This breaks GUI applications that use pkexec for privilege prompts. Restore the SUID bit immediately after patching: chmod 4755 /usr/bin/pkexec. This mitigation does not fix the vulnerability — it only removes the attack surface.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.