CVE-2026-26103
Privilege Escalation in Udisks via Unauthorized LUKS Header Restore
Publication date: 2026-02-25
Last updated on: 2026-03-25
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 10.0 |
| freedesktop | udisks | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the udisks storage management daemon on Linux systems. It is caused by a missing authorization check in the RestoreEncryptedHeader D-Bus method, which allows any local unprivileged user to invoke a privileged function without proper permission verification.
Specifically, the handler function responsible for restoring LUKS encryption headers does not verify user permissions, enabling an attacker to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices.
This unauthorized action can permanently destroy encryption keys and render encrypted volumes inaccessible, resulting in irreversible data loss and a denial-of-service condition.
How can this vulnerability impact me? :
The vulnerability allows a local unprivileged user to cause permanent damage to encrypted storage volumes by overwriting LUKS encryption headers without authorization.
This leads to irreversible loss of encryption keys and makes the encrypted data inaccessible.
As a result, affected systems can experience a denial-of-service condition due to permanent data loss on encrypted devices.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves a missing authorization check in the udisks daemon's D-Bus API, allowing local unprivileged users to invoke the RestoreEncryptedHeader method. Detection involves monitoring or auditing calls to the org.freedesktop.UDisks2.Block.RestoreEncryptedHeader D-Bus method."}, {'type': 'paragraph', 'content': 'You can check for suspicious D-Bus method calls related to RestoreEncryptedHeader by using commands such as:'}, {'type': 'list_item', 'content': 'Use dbus-monitor to watch for calls to the RestoreEncryptedHeader method: dbus-monitor --system "type=\'method_call\',interface=\'org.freedesktop.UDisks2.Block\',member=\'RestoreEncryptedHeader\'"'}, {'type': 'list_item', 'content': 'Check system logs (e.g., journalctl) for any unusual activity or errors related to udisks or LUKS header restoration.'}, {'type': 'list_item', 'content': 'Audit local user activity for attempts to invoke D-Bus methods on the system bus without proper authorization.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediate steps include restricting access to the vulnerable D-Bus method and applying any available patches or updates to the udisks package.
Specifically:
- Apply security updates or patches provided by your Linux distribution that fix the missing authorization check in udisks.
- Restrict local user permissions to prevent unprivileged users from accessing the org.freedesktop.UDisks2.Block.RestoreEncryptedHeader D-Bus method.
- Consider temporarily disabling or limiting the udisks daemon if patching is not immediately possible.
- Monitor system logs and D-Bus activity for any attempts to exploit this vulnerability.