udisks: Unprivileged D-Bus API allows LUKS header overwrite
CVE-2026-26103 Published on February 25, 2026
Udisks: missing authorization check allows unprivileged users to restore luks headers via udisks d-bus api
A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.
Vulnerability Analysis
CVE-2026-26103 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity and availability.
Timeline
Reported to Red Hat.
Made public. 28 days later.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-26103 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-26103
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-26103 are published in Red Hat Enterprise Linux (RHEL):
