CVE-2026-26103

HIGH

udisks - Privilege Escalation

Title source: llm

Description

A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.

References (3)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2026-26103

[Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=2433719

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2026:3476

Scores

CVSS v3 7.1

EPSS 0.0001

EPSS Percentile 0.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Classification

CWE

CWE-862

Status published

Affected Products (2)

redhat/enterprise_linux

freedesktop/udisks

Timeline

Published Feb 25, 2026

Tracked Since Feb 25, 2026