udisks2: out-of-bounds read in Udisks2 daemon (CVE-2025-8067) #shorts
Summary
In today’s episode, we’re discussing CVE-2025-8067, a recently disclosed out-of-bounds read vulnerability in the UDisks2 daemon. The flaw allows unprivileged users to exploit a negative index value when creating loop devices via D-BUS, potentially crashing the service or escalating privileges on affected Linux systems.
Product details
This issue impacts the UDisks2 package shipped with multiple major distributions, including: • Red Hat Enterprise Linux 6, 7, 8, 9 and 10 • SUSE Linux Enterprise 12 SP5 (and downstream SUSE builds) • Debian udisks2 builds (discovered by Michael Imfeld) Vendors have released updated packages that correct the bounds checking for the loop-device handler.
Vulnerability type summary
CVE-2025-8067 is classified as an out-of-bounds read. In particular, the handler that sets up loop devices accepts a signed index parameter without verifying its lower bound. A negative value allows read access outside the intended buffer.
Details of the vulnerability
UDisks2 exposes a D-BUS interface for managing block devices. When creating a loop device, the daemon receives a list of file descriptors and an index pointing to which descriptor to use. The code checks that the index isn’t larger than the list size, but fails to ensure it isn’t below zero. Passing a negative index causes the code to access memory before the descriptor array, leading to an out-of-bounds read. An attacker with local access can send a crafted D-BUS message to either crash the daemon or read privileged memory, opening the door to local privilege escalation.
Conclusion
To mitigate CVE-2025-8067, administrators should update UDisks2 to the patched versions provided by their distribution vendor. Restrict local D-BUS access to trusted users, and monitor for unexpected daemon crashes. Applying these fixes will close the negative-index gap and restore proper bounds checking in the loop-device handler.
Watch the full video on YouTube: CVE-2025-8067
Remediation and exploitation details
This chain involves the following actors
- local attacker: unprivileged user on the system
- system administrator: maintains and updates software packages
This following systems are involved
- UDisks2 daemon (manage storage devices and create loop devices): service running with elevated privileges
- Linux loop device handler (map a file to a block device): core kernel component invoked by UDisks2
Attack entry point
- D-Bus loop device creation interface: method exposed on the system bus allowing creation of loop devices
Remediation actions
Exploitation actions
use D-Bus introspection to locate the loop device creation handler
- busctl introspect org.freedesktop.UDisks2 /org/freedesktop/UDisks2/LoopSetup
call open() on a file owned by root or another privileged user
- int fd = open("/etc/shadow", O_RDONLY);
include the file descriptor list and supply a negative index value
- method call org.freedesktop.UDisks2.LoopSetup.CreateLoopDevice(fd_list=[fd], index=-1)
exploit missing lower-bound check on index parameter
- busctl call org.freedesktop.UDisks2 /org/freedesktop/UDisks2/LoopSetup org.freedesktop.UDisks2.LoopSetup.CreateLoopDevice hxi -1
trigger out-of-bounds read to leak privileged file contents or crash the service
- daemon crash or file descriptor leak yields access to contents of /etc/shadow
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://access.redhat.com/security/cve/CVE-2025-8067
- https://bugzilla.redhat.com/show_bug.cgi?id=2388623
- [2025-08-29] SUSE Linux 12 SP5 releases an important buffer overflow fix for Udisks2, addressing CVE-2025-8067.
- [2025-08-29] Debian's udisks2 has a critical out-of-bounds read vulnerability discovered by Michael Imfeld.
- [2025-08-29] SUSE reports an out-of-bounds read vulnerability in udisks2, CVE-2025-8067, affecting Linux systems.
- [2025-08-29] SUSE reports an important out-of-bounds error vulnerability in udisks2, tracked as CVE-2025-8067.