In the systemd system manager
The vulnerability is caused by accessing an already freed memory area (use-after-free), which occurs when asynchronously executing requests to Polkit during the processing of DBus messages. Some DBus interfaces use a cache to store objects for a short time and flush the cache entries as soon as the DBus is free to process other requests. If a DBus method handler uses bus_verify_polkit_async(), it may need to wait for the action in Polkit to complete. After the Polkit is ready, the handler is called again and refers to the data already allocated in memory. If a request to Polkit takes too long, then the cached items have time to be cleared before the DBus method handler is called a second time.
Of the services that allow exploiting the vulnerability, systemd-machined is noted, which provides the DBus API org.freedesktop.machine1.Image.Clone, which leads to temporary storage of data in the cache and an asynchronous call to Polkit. Interface
org.freedesktop.machine1.Image.Clone is available to all non-privileged users of the system, who can cause systemd services to crash or potentially cause code to execute as root (exploit prototype not yet demonstrated). The code to exploit the vulnerability was
Source: opennet.ru