CVE-2026-26103
Published: 25 February 2026
Summary
CVE-2026-26103 is a high-severity Missing Authorization (CWE-862) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-26103 is a vulnerability in the udisks storage management daemon, which exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The flaw allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices, permanently invalidating encryption keys and rendering encrypted volumes inaccessible. This affects Linux systems utilizing udisks for storage management, particularly those with LUKS-encrypted volumes, and is classified under CWE-862 (Missing Authorization).
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), achieving high impact on integrity (I:H) and availability (A:H) while causing no confidentiality loss (C:N). Successful exploitation results in a denial-of-service condition through irreversible data loss on affected encrypted block devices, as the overwritten metadata prevents access to the volumes.
Red Hat has addressed the issue in Security Advisories RHSA-2026:3476 and RHSA-2026:5831, with further details available on the CVE page at access.redhat.com/security/cve/CVE-2026-26103, Bugzilla entry 2433719, and the GitHub security advisory GHSA-c75h-phf8-ccjm from the storaged-project/udisks repository. The vulnerability was published on 2026-02-25 with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8634
Vulnerability details
A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite…
more
encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables a local unprivileged attacker to abuse the root-owned udisks D-Bus API to overwrite LUKS headers, causing irreversible inaccessibility of encrypted volumes and data loss, which maps to Data Destruction (T1485).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on the privileged D-Bus restore-LUKS-header API before any root-owned write to encryption metadata can occur.
Requires the udisks daemon to operate with only the privileges needed for the requested action, eliminating the ability of an unprivileged local user to trigger root-level metadata overwrites.
Restricts which processes or users may perform configuration or metadata changes on block devices, blocking unauthorized LUKS header restoration attempts.