LUKS Encryption Data Loss via Unprivileged Access to udisks Daemon

Summary

The udisks storage management daemon has a flaw that allows a local user without special permissions to accidentally or intentionally destroy encrypted data. This can happen when a user is allowed to manage disk encryption, and the data loss is permanent and irreversible. To fix this, update the udisks daemon to a version that includes the necessary security patch.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
redhat	enterprise_linux	10.0	–
freedesktop	udisks	2.0.0	–

Original title

A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unpr...

Original description

A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.

nvd CVSS3.1 7.1

Vulnerability type

CWE-862 Missing Authorization

https://access.redhat.com/errata/RHSA-2026:3476
https://access.redhat.com/security/cve/CVE-2026-26103 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2433719 Issue Tracking Vendor Advisory
https://github.com/storaged-project/udisks/security/advisories/GHSA-c75h-phf8-cc...