By rssfeeds-admin The flaw, tracked as CVE-2025-67859, could allow local attackers to bypass Polkit authentication and modify power profiles without proper authorization.
TLP, which stands for “the laptop power management” utility, is widely used by Linux system administrators and end users to extend laptop battery life on laptops.
The newly introduced power daemon in version 1.9.0 implements a D-Bus API to control system settings, but security researchers discovered a dangerous implementation that undermines the daemon’s protective security layers.
The Core Vulnerability
The primary issue stems from unsafe use of Polkit’s deprecated “unix-process” subject, which relies on process IDs for authorization decisions.
This approach is vulnerable to a well-known race condition that allows attackers to replace processes with higher-privilege ones during the authentication check window.
Researchers Matthias Gerstner and Filippo Bonazzi identified that local users could exploit this flaw to arbitrarily control power profiles and daemon logging settings without admin credentials.
Beyond the critical authentication bypass, the audit uncovered three additional security concerns: predictable cookie values that allow unauthorized users to release profile holds, unhandled exceptions when malformed requests are processed, and unlimited profile holds that enable denial-of-service attacks.
While individually less severe, these issues collectively expand the attack surface available to malicious actors.
SUSE researchers contacted the TLP upstream developer on December 16, 2025, initiating coordinated disclosure procedures.
The developer responded positively and provided patches within four days. After review and discussion, upstream released TLP version 1.9.1 on January 7, 2026, incorporating all recommended fixes.
The fixes included switching to Polkit’s secure “system bus name” subject for authentication, generating unpredictable cookie values, and limiting profile holds to 16 concurrent instances.
| CVE ID | Vulnerability Type | Severity | Affected Version | Fix Available |
|---|---|---|---|---|
| CVE-2025-67859 | Polkit Authentication Bypass | Critical | TLP 1.9.0 | TLP 1.9.1+ |
System administrators should immediately update to TLP 1.9.1 or later. Users relying on TLP for battery management should verify their installation version and apply updates through their distribution’s package manager.
Organizations managing multiple Linux systems should prioritize this update in their patch management schedules.
The collaborative disclosure process demonstrates effective security practices, with upstream developers implementing comprehensive fixes within three weeks of initial notification.
This incident underscores the importance of security audits for system utilities that handle privileged operations via D-Bus interfaces.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.
The post Linux Battery Utility Vulnerability Allows Authentication Bypass and System Tampering appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.