{"id":9724,"date":"2026-01-08T10:04:03","date_gmt":"2026-01-08T10:04:03","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/08\/linux-battery-utility-flaw-lets-hackers-bypass-authentication-and-tamper-system-settings\/"},"modified":"2026-01-08T10:04:03","modified_gmt":"2026-01-08T10:04:03","slug":"linux-battery-utility-flaw-lets-hackers-bypass-authentication-and-tamper-system-settings","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/08\/linux-battery-utility-flaw-lets-hackers-bypass-authentication-and-tamper-system-settings\/","title":{"rendered":"Linux Battery Utility Flaw Lets Hackers Bypass Authentication and Tamper System Settings"},"content":{"rendered":"

Linux Battery Utility Flaw Lets Hackers Bypass Authentication and Tamper System Settings
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A critical security vulnerability has been discovered in TLP, a widely used Linux laptop battery optimization utility, allowing local attackers to bypass authentication controls and manipulate system power settings without authorization.<\/p>\n

Security researchers from openSUSE identified a severe authentication<\/a> bypass flaw in the power profiles daemon in TLP version 1.9.0, tracked as\u00a0CVE-2025-67859.<\/p>\n

The vulnerability exploits a race condition in the Polkit authorization mechanism, enabling unprivileged local users to gain unauthorized control over power management configurations.\u200b<\/p>\n

The flaw originated when TLP 1.9.0 introduced a new profiles daemon featuring a D-Bus API for controlling power settings.<\/p>\n

\n\n\n\n\n\n
CVE ID<\/strong><\/th>\nSeverity<\/strong><\/th>\nAttack Vector<\/strong><\/th>\nImpact<\/strong><\/th>\n<\/tr>\n<\/thead>\n
CVE-2025-67859<\/td>\nHigh<\/td>\nLocal<\/td>\nPolkit Authentication Bypass<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

During a routine security review requested by SUSE\u2019s package maintainer, researchers discovered the daemon<\/a> relied on Polkit\u2019s deprecated \u201cunix-process\u201d subject for authentication, a method known to be vulnerable since CVE-2013-4288.<\/p>\n

The vulnerability stems from the daemon\u2019s unsafe handling of process identification during authorization checks.<\/p>\n

When authenticating D-Bus clients, the system passes the caller\u2019s process ID (PID) to Polkit for verification.<\/p>\n

However, a race condition exists between when the PID is captured and when Polkit validates it, allowing attackers to substitute their process for one with higher privileges.<\/p>\n

How the Attack Works<\/strong><\/h2>\n

This authentication bypass grants local users complete control over TLP\u2019s power profile settings and logging configurations without requiring administrative credentials.<\/p>\n

While the attack requires local access, it poses significant risks in multi-user environments and shared systems.<\/p>\n

Beyond the primary authentication bypass, researchers identified three additional security issues:<\/p>\n

\n\n\n\n\n\n\n\n
Issue Type<\/strong><\/th>\nDescription<\/strong><\/th>\nSecurity Impact<\/strong><\/th>\n<\/tr>\n<\/thead>\n
Predictable Cookie Values<\/strong><\/td>\nAuthentication tokens use sequential integers starting from zero, making them easy to guess.<\/td>\nAttackers can hijack<\/a> or interfere with power management holds created by other users.<\/td>\n<\/tr>\n
Denial-of-Service<\/a> (DoS) Vulnerability<\/strong><\/td>\nUnlimited profile holds can be created without authentication.<\/td>\nSystem resources can be exhausted, leading to daemon crashes due to excessive memory usage.<\/td>\n<\/tr>\n
Exception Handling Flaws<\/strong><\/td>\nImproper input validation in the ReleaseProfile<\/code> method allows malformed parameters.<\/td>\nUnhandled exceptions are triggered, but the daemon continues running, risking instability.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

The openSUSE security team reported<\/a> all findings to TLP\u2019s upstream developer on December 16, 2025, initiating a coordinated disclosure process.<\/p>\n

After collaborative patch<\/a> development over the holiday season, TLP version 1.9.1 was released on January 7, 2026, containing comprehensive fixes for all identified vulnerabilities.<\/p>\n

The patches implement robust D-Bus <\/a>\u201csystem bus name\u201d authentication, and replace predictable cookies with cryptographically random values.<\/p>\n

Enforce a maximum of 16 concurrent profile holds, and strengthen input validation throughout the daemon. Linux users running TLP should immediately upgrade to version 1.9.1 or later.<\/p>\n

System administrators managing multi-user environments should prioritize this update, as the vulnerability allows privilege escalation<\/a> within power management subsystems.<\/p>\n

Distribution maintainers have been notified and are releasing updated packages through standard channels.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Linux Battery Utility Flaw Lets Hackers Bypass Authentication and Tamper System Settings<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Linux Battery Utility Flaw Lets Hackers Bypass Authentication and Tamper System Settings A critical security vulnerability has been discovered in TLP, a widely used Linux laptop battery optimization utility, allowing local attackers to bypass authentication controls and manipulate system power settings without authorization. Security researchers from openSUSE identified a severe authentication bypass flaw in the […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,406,131,648],"tags":[130],"class_list":["post-9724","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-linux","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9724"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9724"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9724\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9724"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9724"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}