anonhaven
Ad

CVE-2026-26103

HIGH CVSS 3.1: 7.1 EPSS 0.01%
Updated Mar 13, 2026
Freedesktop
Parameter Value
CVSS 7.1 (HIGH)
Type CWE-862 (Missing Authorization)
Vendor Freedesktop
Public PoC No

A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible.

Successful exploitation results in a denial-of-service condition through irreversible data loss.

Attack Parameters

Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-862 Missing Authorization

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Redhat Enterprise_Linux
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
Freedesktop Udisks
cpe:2.3:a:freedesktop:udisks:2.0.0:*:*:*:*:*:*:*

References 4

https://access.redhat.com/security/cve/CVE-2026-26103
secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2433719
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2026:3476
secalert@redhat.com
https://github.com/storaged-project/udisks/security/advisories/GHSA-c75h-phf8-c…
secalert@redhat.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-26104

Freedesktop

5.5