Vulnerability DatabaseCVE-2026-26104
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-26104
February 25, 2026
A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.
Affected Packages
https://github.com/storaged-project/udisks.git (GITHUB):
Affected version(s) >=udisks-2.10.90 <udisks-2.11.1
Fix Suggestion:
Update to version udisks-2.11.1
Related Resources (5)
https://access.redhat.com/errata/RHSA-2026:3476
https://bugzilla.redhat.com/show_bug.cgi?id=2433717
https://access.redhat.com/errata/RHSA-2026:5831
https://github.com/storaged-project/udisks/security/advisories/GHSA-fcvx-497g-6xmw
https://access.redhat.com/security/cve/CVE-2026-26104
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.8
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.5
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Missing Authorization
CWE-862
EPSS
Base Score:
0.01