CVE-2026-26104 Overview
A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.
Critical Impact
Local unprivileged attackers can extract LUKS encryption headers containing sensitive cryptographic metadata, potentially enabling offline password attacks against encrypted storage volumes.
Affected Products
- udisks storage management daemon (specific versions not disclosed)
Discovery Timeline
- February 25, 2026 - CVE-2026-26104 published to NVD
- February 25, 2026 - Last updated in NVD database
Technical Details for CVE-2026-26104
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), which occurs when a software component does not perform an authorization check when an actor attempts to access a resource or perform an action. In the context of udisks, the storage management daemon exposes D-Bus methods that allow interaction with encrypted storage volumes. The flaw exists in a privileged D-Bus method responsible for exporting LUKS encryption headers.
LUKS (Linux Unified Key Setup) headers contain critical cryptographic metadata including the master key encrypted with user passphrases, key slots, cipher specifications, and salt values. While the master key itself remains encrypted, access to these headers enables offline brute-force or dictionary attacks against the passphrase without detection. The vulnerability requires local access, meaning an attacker must already have some level of access to the target system.
Root Cause
The root cause is a missing PolicyKit authorization check in the D-Bus method responsible for LUKS header export functionality. D-Bus services on Linux systems typically rely on PolicyKit (polkit) to enforce access control policies for privileged operations. When a D-Bus method fails to invoke the appropriate polkit authentication check, any local user can call the method regardless of their privilege level.
The affected method allows specifying an arbitrary output location for the exported header, enabling attackers to write sensitive cryptographic data to attacker-controlled paths such as world-readable directories or removable media.
Attack Vector
The attack vector is local, requiring the attacker to have an authenticated session on the target system. Exploitation involves invoking the vulnerable D-Bus method through standard D-Bus client utilities or custom scripts. The attack flow typically involves:
- The attacker identifies encrypted LUKS volumes on the system through standard block device enumeration
- The attacker invokes the vulnerable udisks D-Bus method to export the LUKS header
- The exported header file is written to an attacker-specified location
- The attacker exfiltrates the header file for offline cryptographic analysis
This vulnerability is particularly concerning in multi-user environments such as shared workstations, container hosts with unprivileged user access, or systems where users have limited shell access. For more technical details, refer to the Red Hat CVE Advisory.
Detection Methods for CVE-2026-26104
Indicators of Compromise
- Unexpected calls to udisks D-Bus methods related to LUKS header operations from non-root users
- Creation of LUKS header backup files in unusual locations (e.g., /tmp, user home directories, or removable media mount points)
- D-Bus message logs showing header export requests from unprivileged user sessions
Detection Strategies
- Monitor D-Bus system bus for calls to udisks encrypted volume methods, particularly those involving header export functionality
- Implement file integrity monitoring (FIM) on directories commonly used for data exfiltration such as /tmp, /var/tmp, and user-writable paths
- Use auditd rules to track file creation events matching LUKS header signatures or naming patterns
Monitoring Recommendations
- Enable verbose logging for the udisks daemon and PolicyKit authentication events
- Configure SIEM alerts for patterns indicating LUKS header export activity from non-administrative accounts
- Review system logs periodically for failed or unexpected polkit authorization requests related to storage operations
How to Mitigate CVE-2026-26104
Immediate Actions Required
- Review and restrict local user access on systems with sensitive encrypted volumes
- Audit existing LUKS volumes for unauthorized header exports by checking for unexpected backup files
- Consider implementing additional access controls through SELinux or AppArmor policies to restrict udisks D-Bus method access
- Monitor the Red Hat Bugzilla Report for patch availability and updates
Patch Information
Patch information is not yet available from the vendor. System administrators should monitor vendor security advisories and apply updates as soon as they become available. Refer to the Red Hat CVE Advisory for the latest remediation guidance.
Workarounds
- Restrict local shell access to trusted users only on systems with encrypted storage containing sensitive data
- Implement custom PolicyKit rules to explicitly deny LUKS header export operations for non-administrative users
- Use SELinux or AppArmor to confine the udisks daemon and restrict write access to sensitive directories
# Example PolicyKit rule to restrict LUKS header operations
# Place in /etc/polkit-1/rules.d/50-udisks-luks-restrict.rules
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.freedesktop.udisks2.encrypted") == 0) {
if (!subject.isInGroup("wheel")) {
return polkit.Result.NO;
}
}
});
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
