NIXPKGS-2026-0383
GitHub issue
published on 27 Feb 2026
Permalink
CVE-2026-26104
5.5 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): NONE
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse removed package deepin.udisks2-qt5
- @LeSuisse accepted
- @LeSuisse published on GitHub
Udisks: missing authorization check allows unprivileged users to back up luks headers via udisks d-bus api
A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.
References
- https://access.redhat.com/security/cve/CVE-2026-26104 x_refsource_REDHAT vdb-entry
- RHBZ#2433717 issue-tracking x_refsource_REDHAT
Affected products
udisks
udisks2
Matching in nixpkgs
pkgs.udisks
Daemon, tools and libraries to access and manipulate disks, storage devices and technologies
Ignored packages (1)
pkgs.deepin.udisks2-qt5
UDisks2 D-Bus interfaces binding for Qt5
Package maintainers
-
@JohnAZoidberg Daniel Schäfer <git@danielschaefer.me>
-
@jtojnar Jan Tojnar <jtojnar@gmail.com>