NIXPKGS-2026-0387
GitHub issue
published on 27 Feb 2026
Permalink
CVE-2026-26103
7.1 HIGH
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse removed package deepin.udisks2-qt5
- @LeSuisse accepted
- @LeSuisse published on GitHub
Udisks: missing authorization check allows unprivileged users to restore luks headers via udisks d-bus api
A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.
References
- https://access.redhat.com/security/cve/CVE-2026-26103 x_refsource_REDHAT vdb-entry
- RHBZ#2433719 issue-tracking x_refsource_REDHAT
Affected products
udisks
udisks2
Matching in nixpkgs
pkgs.udisks
Daemon, tools and libraries to access and manipulate disks, storage devices and technologies
Ignored packages (1)
pkgs.deepin.udisks2-qt5
UDisks2 D-Bus interfaces binding for Qt5
Package maintainers
-
@JohnAZoidberg Daniel Schäfer <git@danielschaefer.me>
-
@jtojnar Jan Tojnar <jtojnar@gmail.com>