CVE-2026-26103

HIGH

Red Hat Enterprise Linux - Unauthenticated Denial of Service via udisks LUKS Header Restoration

Title source: llm

Description

A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.

References (5)

Core 5

Core References

Vendor Advisory

https://github.com/storaged-project/udisks/security/advisories/GHSA-c75h-phf8-ccjm

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2026:3476

Vendor Advisory vendor-advisory x_refsource_redhat

RHSA-2026:5831

https://access.redhat.com/errata/RHSA-2026:5831

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2026-26103

Vendor Advisory issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2433719

Scores

CVSS v3 7.1

EPSS 0.0001

EPSS Percentile 1.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (8)

freedesktop/udisks 2.0.0

Red Hat/Red Hat Enterprise Linux 10 0:2.10.90-6.el10_1.1

Red Hat/Red Hat Enterprise Linux 10.0 Extended Update Support 0:2.10.90-5.el10_0.2

Red Hat/Red Hat Enterprise Linux 6

Red Hat/Red Hat Enterprise Linux 7

Red Hat/Red Hat Enterprise Linux 8

Red Hat/Red Hat Enterprise Linux 9

redhat/enterprise_linux 10.0

Published Feb 25, 2026

Tracked Since Feb 25, 2026