# CVE-2021-4032

* [Qualys put it in the open](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt)
* [arthepsy's exploit](https://github.com/arthepsy/CVE-2021-4034)

* Arg counting starts at 1 inside pkexec logic
* `execve( "/usr/binpkexec", (char **){NULL}, env)` puts NULL into argc[1]
* The value behind NULL can be overwritten, which is the first env param