Security update for udisks2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20206-1 Final 1 1 2026-01-30T14:28:35Z current 2026-01-30T14:28:35Z 2026-01-30T14:28:35Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for udisks2 This update for udisks2 fixes the following issues: - CVE-2025-8067: Fixed a missing bounds check that could lead to out-of-bounds read in udisks daemon (bsc#1248502). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SL-Micro-6.2-226 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620206-1/ Link for SUSE-SU-2026:20206-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024053.html E-Mail link for SUSE-SU-2026:20206-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1248502 SUSE Bug 1248502 https://www.suse.com/security/cve/CVE-2025-8067/ SUSE CVE CVE-2025-8067 page SUSE Linux Micro 6.2 libudisks2-0-2.10.1-160000.3.1 libudisks2-0_btrfs-2.10.1-160000.3.1 libudisks2-0_lvm2-2.10.1-160000.3.1 udisks2-2.10.1-160000.3.1 libudisks2-0-2.10.1-160000.3.1 as a component of SUSE Linux Micro 6.2 libudisks2-0_btrfs-2.10.1-160000.3.1 as a component of SUSE Linux Micro 6.2 libudisks2-0_lvm2-2.10.1-160000.3.1 as a component of SUSE Linux Micro 6.2 udisks2-2.10.1-160000.3.1 as a component of SUSE Linux Micro 6.2 A flaw was found in the Udisks daemon, where it allows unprivileged users to create loop devices using the D-BUS system. This is achieved via the loop device handler, which handles requests sent through the D-BUS interface. As two of the parameters of this handle, it receives the file descriptor list and index specifying the file where the loop device should be backed. The function itself validates the index value to ensure it isn't bigger than the maximum value allowed. However, it fails to validate the lower bound, allowing the index parameter to be a negative value. Under these circumstances, an attacker can cause the UDisks daemon to crash or perform a local privilege escalation by gaining access to files owned by privileged users. CVE-2025-8067 SUSE Linux Micro 6.2:libudisks2-0-2.10.1-160000.3.1 SUSE Linux Micro 6.2:libudisks2-0_btrfs-2.10.1-160000.3.1 SUSE Linux Micro 6.2:libudisks2-0_lvm2-2.10.1-160000.3.1 SUSE Linux Micro 6.2:udisks2-2.10.1-160000.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620206-1/ https://www.suse.com/security/cve/CVE-2025-8067.html CVE-2025-8067 https://bugzilla.suse.com/1248502 SUSE Bug 1248502