CVE-2026-26104: Udisks: missing authorization check allows unprivileged users to back up luks headers via udisks d-bus api
A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-26104?
CVE-2026-26104 is classified as a medium severity vulnerability due to the potential risk of unauthorized access to sensitive encryption headers.
How do I fix CVE-2026-26104?
To fix CVE-2026-26104, ensure you update udisks to the latest version that includes the necessary security patches.
Who is affected by CVE-2026-26104?
CVE-2026-26104 affects users of udisks, particularly those using versions prior to the patched releases on affected systems.
What can be exploited in CVE-2026-26104?
CVE-2026-26104 can be exploited to allow unprivileged users to back up LUKS encryption headers without proper authorization.
Is there a workaround for CVE-2026-26104 until a patch is applied?
A recommended workaround for CVE-2026-26104 is to limit access to the udisks D-Bus API for unprivileged users until the vulnerability is patched.