Udisks: out-of-bounds read in udisks daemon
Summary
| CVE | CVE-2025-8067 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-08-28 15:16:03 UTC |
| Updated | 2026-06-29 21:16:38 UTC |
| Description | A flaw was found in the Udisks daemon, where it allows unprivileged users to create loop devices using the D-BUS system. This is achieved via the loop device handler, which handles requests sent through the D-BUS interface. As two of the parameters of this handle, it receives the file descriptor list and index specifying the file where the loop device should be backed. The function itself validates the index value to ensure it isn't bigger than the maximum value allowed. However, it fails to validate the lower bound, allowing the index parameter to be a negative value. Under these circumstances, an attacker can cause the UDisks daemon to crash or perform a local privilege escalation by gaining access to files owned by privileged users. |
Risk And Classification
Primary CVSS: v3.1 8.5 HIGH from [email protected]
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
EPSS: 0.006500000 probability, percentile 0.465990000 (date 2026-07-01)
Problem Types: CWE-125 | CWE-125 Out-of-bounds Read
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 8.5 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H |
| 3.1 | CNA | CVSS | 8.5 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
ChangedConfidentiality
LowIntegrity
LowAvailability
HighCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Storaged-project | Udisks | affected 2.10.2 semver | Not specified |
| CNA | Storaged-project | Udisks | affected 2.10.3 2.10.91 semver | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 10 | unaffected 0:2.10.90-5.el10_0.1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 7 Extended Lifecycle Support | unaffected 0:2.8.4-1.el7_9.2 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8 | unaffected 0:2.9.0-16.el8_10.1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8.2 Advanced Update Support | unaffected 0:2.8.3-2.el8_2.1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | unaffected 0:2.9.0-6.el8_4.1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | unaffected 0:2.9.0-6.el8_4.1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | unaffected 0:2.9.0-9.el8_6.1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8.6 Telecommunications Update Service | unaffected 0:2.9.0-9.el8_6.1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8.6 Update Services For SAP Solutions | unaffected 0:2.9.0-9.el8_6.1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8.8 Telecommunications Update Service | unaffected 0:2.9.0-13.el8_8.1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8.8 Update Services For SAP Solutions | unaffected 0:2.9.0-13.el8_8.1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 9 | unaffected 0:2.9.4-11.el9_6.1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 9.0 Update Services For SAP Solutions | unaffected 0:2.9.4-3.el9_0.2 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 9.2 Update Services For SAP Solutions | unaffected 0:2.9.4-7.el9_2.2 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 9.4 Extended Update Support | unaffected 0:2.9.4-10.el9_4.2 * rpm | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| bugzilla.redhat.com/show_bug.cgi | [email protected] | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2025:15017 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:16121 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:16122 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:15018 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:15020 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:15956 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:16125 | [email protected] | access.redhat.com | |
| www.openwall.com/lists/oss-security/2025/08/28/1 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| access.redhat.com/errata/RHSA-2025:16090 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:16021 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:16106 | [email protected] | access.redhat.com | |
| lists.debian.org/debian-lts-announce/2025/08/msg00023.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | |
| access.redhat.com/errata/RHSA-2025:16130 | [email protected] | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2025-8067 | [email protected] | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Red Hat would like to thank Michael Imfeld (born0monday) for reporting this issue. (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2025-08-14T16:31:18.048Z | Reported to Red Hat. |
| CNA | 2025-08-28T14:42:00.000Z | Made public. |
Workarounds
CNA: There's no available mitigation other than installing the updated package as soon as available.
There are currently no legacy QID mappings associated with this CVE.