A essential safety vulnerability has been found in TLP, a extensively used Linux laptop computer battery optimization utility, permitting native attackers to bypass authentication controls and manipulate system energy settings with out authorization.
Safety researchers from openSUSE recognized a extreme authentication bypass flaw within the energy profiles daemon in TLP model 1.9.0, tracked as CVE-2025-67859.
The vulnerability exploits a race situation within the Polkit authorization mechanism, enabling unprivileged native customers to realize unauthorized management over energy administration configurations.
The flaw originated when TLP 1.9.0 launched a brand new profiles daemon that includes a D-Bus API for controlling energy settings.
CVE IDSeverityAttack VectorImpactCVE-2025-67859HighLocalPolkit Authentication Bypass
Throughout a routine safety assessment requested by SUSE’s package deal maintainer, researchers found the daemon relied on Polkit’s deprecated “unix-process” topic for authentication, a way recognized to be susceptible since CVE-2013-4288.
The vulnerability stems from the daemon’s unsafe dealing with of course of identification throughout authorization checks.
When authenticating D-Bus shoppers, the system passes the caller’s course of ID (PID) to Polkit for verification.
Nonetheless, a race situation exists between when the PID is captured and when Polkit validates it, permitting attackers to substitute their course of for one with larger privileges.
How the Assault Works
This authentication bypass grants native customers full management over TLP’s energy profile settings and logging configurations with out requiring administrative credentials.
Whereas the assault requires native entry, it poses important dangers in multi-user environments and shared programs.
Past the first authentication bypass, researchers recognized three extra safety points:
Problem TypeDescriptionSecurity ImpactPredictable Cookie ValuesAuthentication tokens use sequential integers ranging from zero, making them straightforward to guess.Attackers can hijack or intervene with energy administration holds created by different customers.Denial-of-Service (DoS) VulnerabilityUnlimited profile holds might be created with out authentication.System sources might be exhausted, resulting in daemon crashes resulting from extreme reminiscence utilization.Exception Dealing with FlawsImproper enter validation within the ReleaseProfile technique permits malformed parameters.Unhandled exceptions are triggered, however the daemon continues working, risking instability.
The openSUSE safety workforce reported all findings to TLP’s upstream developer on December 16, 2025, initiating a coordinated disclosure course of.
After collaborative patch improvement over the vacation season, TLP model 1.9.1 was launched on January 7, 2026, containing complete fixes for all recognized vulnerabilities.
The patches implement strong D-Bus “system bus identify” authentication, and exchange predictable cookies with cryptographically random values.
Implement a most of 16 concurrent profile holds, and strengthen enter validation all through the daemon. Linux customers working TLP ought to instantly improve to model 1.9.1 or later.
System directors managing multi-user environments ought to prioritize this replace, because the vulnerability permits privilege escalation inside energy administration subsystems.
Distribution maintainers have been notified and are releasing up to date packages by customary channels.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
