new file mode 100644
@@ -0,0 +1,131 @@
+From 03bb697b8df0339c37f4b845025320b261aeb7cc Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Fri, 6 Mar 2026 19:32:35 +0000
+Subject: [PATCH] udev: check for invalid chars in various fields received from
+ the kernel
+
+(cherry picked from commit 16325b35fa6ecb25f66534a562583ce3b96d52f3)
+(cherry picked from commit 3513862eabe9ec4a6a095d7266e98f998f289ed2)
+(cherry picked from commit c20d21e0da293e715db468f9f4a15a5c8fbf8273)
+
+CVE: CVE-2026-40225
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/03bb697b8df0339c37f4b845025320b261aeb7cc]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/udev/dmi_memory_id/dmi_memory_id.c | 3 ++-
+ src/udev/scsi_id/scsi_id.c | 5 +++--
+ src/udev/udev-builtin-net_id.c | 9 +++++++++
+ src/udev/v4l_id/v4l_id.c | 5 ++++-
+ 4 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/src/udev/dmi_memory_id/dmi_memory_id.c b/src/udev/dmi_memory_id/dmi_memory_id.c
+index 52ea250af8..4f2c21b80b 100644
+--- a/src/udev/dmi_memory_id/dmi_memory_id.c
++++ b/src/udev/dmi_memory_id/dmi_memory_id.c
+@@ -51,6 +51,7 @@
+ #include "string-util.h"
+ #include "udev-util.h"
+ #include "unaligned.h"
++#include "utf8.h"
+
+ #define SUPPORTED_SMBIOS_VER 0x030300
+
+@@ -185,7 +186,7 @@ static void dmi_memory_device_string(
+
+ str = strdupa_safe(dmi_string(h, s));
+ str = strstrip(str);
+- if (!isempty(str))
++ if (!isempty(str) && utf8_is_valid(str) && !string_has_cc(str, /* ok= */ NULL))
+ printf("MEMORY_DEVICE_%u_%s=%s\n", slot_num, attr_suffix, str);
+ }
+
+diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c
+index 6308c52b7e..7e18bc755a 100644
+--- a/src/udev/scsi_id/scsi_id.c
++++ b/src/udev/scsi_id/scsi_id.c
+@@ -27,6 +27,7 @@
+ #include "strv.h"
+ #include "strxcpyx.h"
+ #include "udev-util.h"
++#include "utf8.h"
+
+ static const struct option options[] = {
+ { "device", required_argument, NULL, 'd' },
+@@ -443,8 +444,8 @@ static int scsi_id(char *maj_min_dev) {
+ }
+ if (dev_scsi.tgpt_group[0] != '\0')
+ printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group);
+- if (dev_scsi.unit_serial_number[0] != '\0')
+- printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number);
++ if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL))
++ printf("ID_SCSI_SERIAL=%s\n", serial_str);
+ goto out;
+ }
+
+diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c
+index 91b40088f4..715184e282 100644
+--- a/src/udev/udev-builtin-net_id.c
++++ b/src/udev/udev-builtin-net_id.c
+@@ -39,6 +39,7 @@
+ #include "strv.h"
+ #include "strxcpyx.h"
+ #include "udev-builtin.h"
++#include "utf8.h"
+
+ #define ONBOARD_14BIT_INDEX_MAX ((1U << 14) - 1)
+ #define ONBOARD_16BIT_INDEX_MAX ((1U << 16) - 1)
+@@ -247,6 +248,9 @@ static int get_port_specifier(sd_device *dev, bool fallback_to_dev_id, char **re
+ }
+ }
+
++ if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
++
+ /* Otherwise, use phys_port_name as is. */
+ buf = strjoin("n", phys_port_name);
+ if (!buf)
+@@ -351,6 +355,9 @@ static int names_pci_onboard_label(sd_device *dev, sd_device *pci_dev, const cha
+ if (r < 0)
+ return log_device_debug_errno(pci_dev, r, "Failed to get PCI onboard label: %m");
+
++ if (!utf8_is_valid(label) || string_has_cc(label, /* ok= */ NULL))
++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid label");
++
+ char str[ALTIFNAMSIZ];
+ if (snprintf_ok(str, sizeof str, "%s%s",
+ naming_scheme_has(NAMING_LABEL_NOPREFIX) ? "" : prefix,
+@@ -1209,6 +1216,8 @@ static int names_netdevsim(sd_device *dev, const char *prefix, bool test) {
+ if (isempty(phys_port_name))
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "The 'phys_port_name' attribute is empty.");
++ if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
+
+ char str[ALTIFNAMSIZ];
+ if (snprintf_ok(str, sizeof str, "%si%un%s", prefix, addr, phys_port_name))
+diff --git a/src/udev/v4l_id/v4l_id.c b/src/udev/v4l_id/v4l_id.c
+index 30527e9556..2ec96d8d3a 100644
+--- a/src/udev/v4l_id/v4l_id.c
++++ b/src/udev/v4l_id/v4l_id.c
+@@ -29,6 +29,8 @@
+ #include "build.h"
+ #include "fd-util.h"
+ #include "main-func.h"
++#include "string-util.h"
++#include "utf8.h"
+
+ static const char *arg_device = NULL;
+
+@@ -82,7 +84,8 @@ static int run(int argc, char *argv[]) {
+ int capabilities;
+
+ printf("ID_V4L_VERSION=2\n");
+- printf("ID_V4L_PRODUCT=%s\n", v2cap.card);
++ if (utf8_is_valid((char *)v2cap.card) && !string_has_cc((char *)v2cap.card, /* ok= */ NULL))
++ printf("ID_V4L_PRODUCT=%s\n", v2cap.card);
+ printf("ID_V4L_CAPABILITIES=:");
+
+ if (v2cap.capabilities & V4L2_CAP_DEVICE_CAPS)
+--
+2.50.1
+
new file mode 100644
@@ -0,0 +1,39 @@
+From 5887e72ff87d3a66a4c3fa91897fbec1545f4d3d Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Fri, 13 Mar 2026 11:10:47 +0000
+Subject: [PATCH] udev: fix review mixup
+
+The previous version in the PR changed variable and sanitized it
+in place. The second version switched to skip if CCs are in the
+string instead, but didn't move back to the original variable.
+Because it's an existing variable, no CI caught it.
+
+Follow-up for 16325b35fa6ecb25f66534a562583ce3b96d52f3
+
+(cherry picked from commit 54f880b02ecf7362e630ffc885d1466df6ee6820)
+(cherry picked from commit 4425d8523e79f3cc00b3b93a0b5e7c6cdc284a97)
+(cherry picked from commit 75c585beae60e73208941e6b3f64cf249223f53d)
+
+CVE: CVE-2026-40225
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/5887e72ff87d3a66a4c3fa91897fbec1545f4d3d]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/udev/scsi_id/scsi_id.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c
+index 7e18bc755a..b2df8d9f7f 100644
+--- a/src/udev/scsi_id/scsi_id.c
++++ b/src/udev/scsi_id/scsi_id.c
+@@ -445,7 +445,7 @@ static int scsi_id(char *maj_min_dev) {
+ if (dev_scsi.tgpt_group[0] != '\0')
+ printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group);
+ if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL))
+- printf("ID_SCSI_SERIAL=%s\n", serial_str);
++ printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number);
+ goto out;
+ }
+
+--
+2.50.1
+
@@ -29,6 +29,8 @@ SRC_URI += " \
file://0002-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
file://0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch \
file://0008-implment-systemd-sysv-install-for-OE.patch \
+ file://CVE-2026-40225-01.patch \
+ file://CVE-2026-40225-02.patch \
"
# patches needed by musl
Backport commit[0] and [1] which fixes this vulnerability as mentioned in Debian report [2]. [0] https://github.com/systemd/systemd/commit/03bb697b8df0339c37f4b845025320b261aeb7cc [1] https://github.com/systemd/systemd/commit/5887e72ff87d3a66a4c3fa91897fbec1545f4d3d [2] https://security-tracker.debian.org/tracker/CVE-2026-40225 More details : https://nvd.nist.gov/vuln/detail/CVE-2026-40225 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../systemd/systemd/CVE-2026-40225-01.patch | 131 ++++++++++++++++++ .../systemd/systemd/CVE-2026-40225-02.patch | 39 ++++++ meta/recipes-core/systemd/systemd_255.21.bb | 2 + 3 files changed, 172 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/CVE-2026-40225-01.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2026-40225-02.patch