A newly reported vulnerability in the Linux UDisks daemon, tracked as CVE-2025-8067, allows local users without privileges to access data belonging to higher-level accounts. Red Hat disclosed the flaw on August 28, 2025, rating it as "Important" with a CVSS score of 8.5.
The issue stems from how UDisks handles file index parameters when creating loop devices. While it checks for values above the allowed maximum, it fails to block negative indices. This oversight lets attackers trigger out-of-bounds reads, potentially exposing sensitive memory such as cryptographic keys, personal data, or credentials. It may also lead to system crashes or privilege escalation.
Affected systems include Red Hat Enterprise Linux versions 6 through 10, and packages like udisks, udisks2, libudisks2, and related modules. All versions of these packages should be considered vulnerable unless otherwise stated.
Red Hat urges immediate patching, as no workaround currently exists. The flaw is low in complexity and requires no user interaction, making it a serious risk for enterprise environments. Admins are advised to monitor Red Hat’s repositories for updated packages and apply them promptly.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
