new file mode 100644
@@ -0,0 +1,168 @@
+From 284fd279f9e9c199982aea51aee59a02e90a2eda Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 19 May 2025 12:58:52 +0200
+Subject: [PATCH 1/4] path-util: add flavour of path_startswith() that leaves a
+ leading slash in place
+
+CVE: CVE-2026-29111
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/20021e7686426052e3a7505425d7e12085feb2a6]
+
+(cherry picked from commit ee19edbb9f3455db3f750089082f3e5a925e3a0c)
+(cherry picked from commit 20021e7686426052e3a7505425d7e12085feb2a6)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ src/basic/fs-util.c | 2 +-
+ src/basic/mkdir.c | 2 +-
+ src/basic/path-util.c | 39 ++++++++++++++++++++++++++++-----------
+ src/basic/path-util.h | 10 ++++++++--
+ src/test/test-path-util.c | 16 ++++++++++++++++
+ 5 files changed, 54 insertions(+), 15 deletions(-)
+
+diff --git a/src/basic/fs-util.c b/src/basic/fs-util.c
+index 5bc7d2f95b..4633a5cd72 100644
+--- a/src/basic/fs-util.c
++++ b/src/basic/fs-util.c
+@@ -65,7 +65,7 @@ int rmdir_parents(const char *path, const char *stop) {
+ assert(*slash == '/');
+ *slash = '\0';
+
+- if (path_startswith_full(stop, p, /* accept_dot_dot= */ false))
++ if (path_startswith_full(stop, p, /* flags= */ 0))
+ return 0;
+
+ if (rmdir(p) < 0 && errno != ENOENT)
+diff --git a/src/basic/mkdir.c b/src/basic/mkdir.c
+index c770e5ed32..7bc73361a5 100644
+--- a/src/basic/mkdir.c
++++ b/src/basic/mkdir.c
+@@ -155,7 +155,7 @@ int mkdir_parents_internal(const char *prefix, const char *path, mode_t mode, ui
+ assert(_mkdirat != mkdirat);
+
+ if (prefix) {
+- p = path_startswith_full(path, prefix, /* accept_dot_dot= */ false);
++ p = path_startswith_full(path, prefix, /* flags= */ 0);
+ if (!p)
+ return -ENOTDIR;
+ } else
+diff --git a/src/basic/path-util.c b/src/basic/path-util.c
+index 6810bf66aa..e73f5d708e 100644
+--- a/src/basic/path-util.c
++++ b/src/basic/path-util.c
+@@ -403,8 +403,8 @@ char* path_simplify_full(char *path, PathSimplifyFlags flags) {
+ return path;
+ }
+
+-char* path_startswith_full(const char *path, const char *prefix, bool accept_dot_dot) {
+- assert(path);
++char* path_startswith_full(const char *original_path, const char *prefix, PathStartWithFlags flags) {
++ assert(original_path);
+ assert(prefix);
+
+ /* Returns a pointer to the start of the first component after the parts matched by
+@@ -417,28 +417,45 @@ char* path_startswith_full(const char *path, const char *prefix, bool accept_dot
+ * Returns NULL otherwise.
+ */
+
++ const char *path = original_path;
++
+ if ((path[0] == '/') != (prefix[0] == '/'))
+ return NULL;
+
+ for (;;) {
+ const char *p, *q;
+- int r, k;
++ int m, n;
+
+- r = path_find_first_component(&path, accept_dot_dot, &p);
+- if (r < 0)
++ m = path_find_first_component(&path, FLAGS_SET(flags, PATH_STARTSWITH_ACCEPT_DOT_DOT), &p);
++ if (m < 0)
+ return NULL;
+
+- k = path_find_first_component(&prefix, accept_dot_dot, &q);
+- if (k < 0)
++ n = path_find_first_component(&prefix, FLAGS_SET(flags, PATH_STARTSWITH_ACCEPT_DOT_DOT), &q);
++ if (n < 0)
+ return NULL;
+
+- if (k == 0)
+- return (char*) (p ?: path);
++ if (n == 0) {
++ if (!p)
++ p = path;
++
++ if (FLAGS_SET(flags, PATH_STARTSWITH_RETURN_LEADING_SLASH)) {
++
++ if (p <= original_path)
++ return NULL;
++
++ p--;
++
++ if (*p != '/')
++ return NULL;
++ }
++
++ return (char*) p;
++ }
+
+- if (r != k)
++ if (m != n)
+ return NULL;
+
+- if (!strneq(p, q, r))
++ if (!strneq(p, q, m))
+ return NULL;
+ }
+ }
+diff --git a/src/basic/path-util.h b/src/basic/path-util.h
+index 6d943e967f..e0ec05f4db 100644
+--- a/src/basic/path-util.h
++++ b/src/basic/path-util.h
+@@ -53,9 +53,15 @@ int safe_getcwd(char **ret);
+ int path_make_absolute_cwd(const char *p, char **ret);
+ int path_make_relative(const char *from, const char *to, char **ret);
+ int path_make_relative_parent(const char *from_child, const char *to, char **ret);
+-char* path_startswith_full(const char *path, const char *prefix, bool accept_dot_dot) _pure_;
++
++typedef enum PathStartWithFlags {
++ PATH_STARTSWITH_ACCEPT_DOT_DOT = 1U << 0,
++ PATH_STARTSWITH_RETURN_LEADING_SLASH = 1U << 1,
++} PathStartWithFlags;
++
++char* path_startswith_full(const char *path, const char *prefix, PathStartWithFlags flags) _pure_;
+ static inline char* path_startswith(const char *path, const char *prefix) {
+- return path_startswith_full(path, prefix, true);
++ return path_startswith_full(path, prefix, PATH_STARTSWITH_ACCEPT_DOT_DOT);
+ }
+
+ int path_compare(const char *a, const char *b) _pure_;
+diff --git a/src/test/test-path-util.c b/src/test/test-path-util.c
+index f5a425689a..71056b08c1 100644
+--- a/src/test/test-path-util.c
++++ b/src/test/test-path-util.c
+@@ -754,6 +754,22 @@ TEST(path_startswith) {
+ test_path_startswith_one("/foo/bar/barfoo/", "/fo", NULL, NULL);
+ }
+
++static void test_path_startswith_return_leading_slash_one(const char *path, const char *prefix, const char *expected) {
++ const char *p;
++
++ log_debug("/* %s(%s, %s) */", __func__, path, prefix);
++
++ p = path_startswith_full(path, prefix, PATH_STARTSWITH_RETURN_LEADING_SLASH);
++ assert_se(streq_ptr(p, expected));
++}
++
++TEST(path_startswith_return_leading_slash) {
++ test_path_startswith_return_leading_slash_one("/foo/bar", "/", "/foo/bar");
++ test_path_startswith_return_leading_slash_one("/foo/bar", "/foo", "/bar");
++ test_path_startswith_return_leading_slash_one("/foo/bar", "/foo/bar", NULL);
++ test_path_startswith_return_leading_slash_one("/foo/bar/", "/foo/bar", "/");
++}
++
+ static void test_prefix_root_one(const char *r, const char *p, const char *expected) {
+ _cleanup_free_ char *s = NULL;
+ const char *t;
+--
+2.43.0
+
new file mode 100644
@@ -0,0 +1,87 @@
+From ed86ee8a7cc82fe1c68e3fb17be71c9c8e62ca87 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Fri, 23 May 2025 06:45:40 +0200
+Subject: [PATCH 2/4] path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag
+
+As requested: https://github.com/systemd/systemd/pull/37572#pullrequestreview-2861928094
+
+CVE: CVE-2026-29111
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/7ac3220213690e8a8d6d2a6e81e43bd1dce01d69]
+
+(cherry picked from commit ceed11e465f1c8efff1931412a85924d9de7c08d)
+(cherry picked from commit 7ac3220213690e8a8d6d2a6e81e43bd1dce01d69)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ src/basic/fs-util.c | 2 +-
+ src/basic/mkdir.c | 2 +-
+ src/basic/path-util.c | 4 ++--
+ src/basic/path-util.h | 4 ++--
+ 4 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/basic/fs-util.c b/src/basic/fs-util.c
+index 4633a5cd72..21cd6ddcde 100644
+--- a/src/basic/fs-util.c
++++ b/src/basic/fs-util.c
+@@ -65,7 +65,7 @@ int rmdir_parents(const char *path, const char *stop) {
+ assert(*slash == '/');
+ *slash = '\0';
+
+- if (path_startswith_full(stop, p, /* flags= */ 0))
++ if (path_startswith_full(stop, p, PATH_STARTSWITH_REFUSE_DOT_DOT))
+ return 0;
+
+ if (rmdir(p) < 0 && errno != ENOENT)
+diff --git a/src/basic/mkdir.c b/src/basic/mkdir.c
+index 7bc73361a5..8f14c47214 100644
+--- a/src/basic/mkdir.c
++++ b/src/basic/mkdir.c
+@@ -155,7 +155,7 @@ int mkdir_parents_internal(const char *prefix, const char *path, mode_t mode, ui
+ assert(_mkdirat != mkdirat);
+
+ if (prefix) {
+- p = path_startswith_full(path, prefix, /* flags= */ 0);
++ p = path_startswith_full(path, prefix, PATH_STARTSWITH_REFUSE_DOT_DOT);
+ if (!p)
+ return -ENOTDIR;
+ } else
+diff --git a/src/basic/path-util.c b/src/basic/path-util.c
+index e73f5d708e..a65a5c32f6 100644
+--- a/src/basic/path-util.c
++++ b/src/basic/path-util.c
+@@ -426,11 +426,11 @@ char* path_startswith_full(const char *original_path, const char *prefix, PathSt
+ const char *p, *q;
+ int m, n;
+
+- m = path_find_first_component(&path, FLAGS_SET(flags, PATH_STARTSWITH_ACCEPT_DOT_DOT), &p);
++ m = path_find_first_component(&path, !FLAGS_SET(flags, PATH_STARTSWITH_REFUSE_DOT_DOT), &p);
+ if (m < 0)
+ return NULL;
+
+- n = path_find_first_component(&prefix, FLAGS_SET(flags, PATH_STARTSWITH_ACCEPT_DOT_DOT), &q);
++ n = path_find_first_component(&prefix, !FLAGS_SET(flags, PATH_STARTSWITH_REFUSE_DOT_DOT), &q);
+ if (n < 0)
+ return NULL;
+
+diff --git a/src/basic/path-util.h b/src/basic/path-util.h
+index e0ec05f4db..11a1078df9 100644
+--- a/src/basic/path-util.h
++++ b/src/basic/path-util.h
+@@ -55,13 +55,13 @@ int path_make_relative(const char *from, const char *to, char **ret);
+ int path_make_relative_parent(const char *from_child, const char *to, char **ret);
+
+ typedef enum PathStartWithFlags {
+- PATH_STARTSWITH_ACCEPT_DOT_DOT = 1U << 0,
++ PATH_STARTSWITH_REFUSE_DOT_DOT = 1U << 0,
+ PATH_STARTSWITH_RETURN_LEADING_SLASH = 1U << 1,
+ } PathStartWithFlags;
+
+ char* path_startswith_full(const char *path, const char *prefix, PathStartWithFlags flags) _pure_;
+ static inline char* path_startswith(const char *path, const char *prefix) {
+- return path_startswith_full(path, prefix, PATH_STARTSWITH_ACCEPT_DOT_DOT);
++ return path_startswith_full(path, prefix, 0);
+ }
+
+ int path_compare(const char *a, const char *b) _pure_;
+--
+2.43.0
+
new file mode 100644
@@ -0,0 +1,103 @@
+From 7a1749753b4853866f90ef25d48192e4d1563543 Mon Sep 17 00:00:00 2001
+From: Mike Yuan <me@yhndnzj.com>
+Date: Thu, 26 Feb 2026 11:06:00 +0100
+Subject: [PATCH 3/4] core/cgroup: avoid one unnecessary strjoina()
+
+CVE: CVE-2026-29111
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/21167006574d6b83813c7596759b474f56562412]
+
+(cherry picked from commit 42aee39107fbdd7db1ccd402a2151822b2805e9f)
+(cherry picked from commit 80acea4ef80a4bb78560ed970c34952299b890d6)
+(cherry picked from commit b5fd14693057e5f2c9b4a49603be64ec3608ff6c)
+(cherry picked from commit 21167006574d6b83813c7596759b474f56562412)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ src/core/cgroup.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/src/core/cgroup.c b/src/core/cgroup.c
+index d398655b0a..e5e7f032c2 100644
+--- a/src/core/cgroup.c
++++ b/src/core/cgroup.c
+@@ -2568,12 +2568,13 @@ static int unit_update_cgroup(
+ return 0;
+ }
+
+-static int unit_attach_pid_to_cgroup_via_bus(Unit *u, pid_t pid, const char *suffix_path) {
++static int unit_attach_pid_to_cgroup_via_bus(Unit *u, const char *cgroup_path, pid_t pid) {
+ _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
+- char *pp;
+ int r;
+
+ assert(u);
++ assert(cgroup_path);
++ assert(pid_is_valid(pid));
+
+ if (MANAGER_IS_SYSTEM(u->manager))
+ return -EINVAL;
+@@ -2581,17 +2582,13 @@ static int unit_attach_pid_to_cgroup_via_bus(Unit *u, pid_t pid, const char *suf
+ if (!u->manager->system_bus)
+ return -EIO;
+
+- if (!u->cgroup_path)
+- return -EINVAL;
+-
+ /* Determine this unit's cgroup path relative to our cgroup root */
+- pp = path_startswith(u->cgroup_path, u->manager->cgroup_root);
++ const char *pp = path_startswith_full(cgroup_path,
++ u->manager->cgroup_root,
++ PATH_STARTSWITH_RETURN_LEADING_SLASH|PATH_STARTSWITH_REFUSE_DOT_DOT);
+ if (!pp)
+ return -EINVAL;
+
+- pp = strjoina("/", pp, suffix_path);
+- path_simplify(pp);
+-
+ r = bus_call_method(u->manager->system_bus,
+ bus_systemd_mgr,
+ "AttachProcessesToUnit",
+@@ -2630,8 +2627,10 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) {
+ return r;
+
+ if (isempty(suffix_path))
+- p = u->cgroup_path;
++ p = empty_to_root(u->cgroup_path);
+ else {
++ assert(path_is_absolute(suffix_path));
++
+ joined = path_join(u->cgroup_path, suffix_path);
+ if (!joined)
+ return -ENOMEM;
+@@ -2649,7 +2648,7 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) {
+ * before we use it */
+ r = pidref_verify(pid);
+ if (r < 0) {
+- log_unit_info_errno(u, r, "PID " PID_FMT " vanished before we could move it to target cgroup '%s', skipping: %m", pid->pid, empty_to_root(p));
++ log_unit_info_errno(u, r, "PID " PID_FMT " vanished before we could move it to target cgroup '%s', skipping: %m", pid->pid, p);
+ continue;
+ }
+
+@@ -2660,7 +2659,7 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) {
+
+ log_unit_full_errno(u, again ? LOG_DEBUG : LOG_INFO, r,
+ "Couldn't move process "PID_FMT" to%s requested cgroup '%s': %m",
+- pid->pid, again ? " directly" : "", empty_to_root(p));
++ pid->pid, again ? " directly" : "", p);
+
+ if (again) {
+ int z;
+@@ -2670,9 +2669,9 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) {
+ * Since it's more privileged it might be able to move the process across the
+ * leaves of a subtree whose top node is not owned by us. */
+
+- z = unit_attach_pid_to_cgroup_via_bus(u, pid->pid, suffix_path);
++ z = unit_attach_pid_to_cgroup_via_bus(u, p, pid->pid);
+ if (z < 0)
+- log_unit_info_errno(u, z, "Couldn't move process "PID_FMT" to requested cgroup '%s' (directly or via the system bus): %m", pid->pid, empty_to_root(p));
++ log_unit_info_errno(u, z, "Couldn't move process "PID_FMT" to requested cgroup '%s' (directly or via the system bus): %m", pid->pid, p);
+ else {
+ if (ret >= 0)
+ ret++; /* Count successful additions */
+--
+2.43.0
+
new file mode 100644
@@ -0,0 +1,37 @@
+From 0d2c41d0f024088a275ac0c02d50205c800dec8a Mon Sep 17 00:00:00 2001
+From: Mike Yuan <me@yhndnzj.com>
+Date: Thu, 26 Feb 2026 11:06:34 +0100
+Subject: [PATCH 4/4] core: validate input cgroup path more prudently
+
+CVE: CVE-2026-29111
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/54588d2dedff54bfb6036670820650e4ea74628f]
+
+(cherry picked from commit efa6ba2ab625aaa160ac435a09e6482fc63bdbe8)
+(cherry picked from commit 3cee294fe8cf4fa0eff933ab21416d099942cabd)
+(cherry picked from commit 1d22f706bd04f45f8422e17fbde3f56ece17758a)
+(cherry picked from commit 54588d2dedff54bfb6036670820650e4ea74628f)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ src/core/dbus-manager.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
+index c7372ca033..cb84ba9866 100644
+--- a/src/core/dbus-manager.c
++++ b/src/core/dbus-manager.c
+@@ -646,6 +646,12 @@ static int method_get_unit_by_control_group(sd_bus_message *message, void *userd
+ if (r < 0)
+ return r;
+
++ if (!path_is_absolute(cgroup))
++ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Control group path is not absolute: %s", cgroup);
++
++ if (!path_is_normalized(cgroup))
++ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Control group path is not normalized: %s", cgroup);
++
+ u = manager_get_unit_by_cgroup(m, cgroup);
+ if (!u)
+ return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_UNIT,
+--
+2.43.0
+
@@ -33,6 +33,10 @@ SRC_URI += " \
file://CVE-2026-40225-02.patch \
file://CVE-2026-40226-01.patch \
file://CVE-2026-40226-02.patch \
+ file://CVE-2026-29111-01.patch \
+ file://CVE-2026-29111-02.patch \
+ file://CVE-2026-29111-03.patch \
+ file://CVE-2026-29111-04.patch \
"
# patches needed by musl