Cyber Resilience

CVE-2026-26103

High

Published: 25 February 2026

Published
25 February 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0001 1.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26103 is a high-severity Missing Authorization (CWE-862) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-26103 is a vulnerability in the udisks storage management daemon, which exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The flaw allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices, permanently invalidating encryption keys and rendering encrypted volumes inaccessible. This affects Linux systems utilizing udisks for storage management, particularly those with LUKS-encrypted volumes, and is classified under CWE-862 (Missing Authorization).

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), achieving high impact on integrity (I:H) and availability (A:H) while causing no confidentiality loss (C:N). Successful exploitation results in a denial-of-service condition through irreversible data loss on affected encrypted block devices, as the overwritten metadata prevents access to the volumes.

Red Hat has addressed the issue in Security Advisories RHSA-2026:3476 and RHSA-2026:5831, with further details available on the CVE page at access.redhat.com/security/cve/CVE-2026-26103, Bugzilla entry 2433719, and the GitHub security advisory GHSA-c75h-phf8-ccjm from the storaged-project/udisks repository. The vulnerability was published on 2026-02-25 with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

EU & UK References

Vulnerability details

A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite…

more

encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

The vulnerability directly enables a local unprivileged attacker to abuse the root-owned udisks D-Bus API to overwrite LUKS headers, causing irreversible inaccessibility of encrypted volumes and data loss, which maps to Data Destruction (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4365Shared CWE-862
CVE-2025-23512Shared CWE-862
CVE-2025-31182Shared CWE-862
CVE-2026-4094Shared CWE-862
CVE-2025-59022Shared CWE-862
CVE-2026-27181Shared CWE-862
CVE-2026-4119Shared CWE-862
CVE-2024-12104Shared CWE-862
CVE-2026-32817Shared CWE-862
CVE-2026-25443Shared CWE-862

Affected Assets

redhat
enterprise linux
10.0
freedesktop
udisks
2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the privileged D-Bus restore-LUKS-header API before any root-owned write to encryption metadata can occur.

prevent

Requires the udisks daemon to operate with only the privileges needed for the requested action, eliminating the ability of an unprivileged local user to trigger root-level metadata overwrites.

prevent

Restricts which processes or users may perform configuration or metadata changes on block devices, blocking unauthorized LUKS header restoration attempts.

References