Linux laptop users are being urged to update after a flaw in a popular battery optimisation tool was found to allow authentication bypass and system tampering.
The vulnerability affects the TLP power profiles daemon introduced in version 1.9.0, which exposes a D-Bus API for managing power profiles with root privileges.
How the flaw works
TLP’s profiles daemon runs as root and uses Polkit to decide whether a client is allowed to change power profiles or logging settings.
In version 1.9.0, the daemon incorrectly relied on Polkit’s deprecated “unix-process” subject, passing only the caller’s PID for authorisation.
This creates a race condition in which the PID may already have been recycled by a more privileged process when Polkit evaluates it, allowing local users to bypass authentication and gain elevated control over TLP’s settings.
The issue has been assigned CVE-2025-67859 and allows any local user to arbitrarily change the active power profile and daemon log configuration without providing admin credentials.
TLP 1.9.1 replaces this fragile mechanism with the safer D-Bus “system bus name” subject, which ties authorization to the actual client connection instead of a race-prone PID.
Researchers also found several related weaknesses that, while generally lower impact, still expand the attack surface.
- The HoldProfile/ReleaseProfile API used predictable, incrementing integer “cookie” values, allowing other users or processes to guess cookies and release profile holds they did not create.
- Passing a non-integer cookie into ReleaseProfile triggered unhandled Python exceptions, which did not crash the daemon but reduced robustness.
- The daemon allowed an unlimited number of profile holds, letting local users push arbitrary strings into an internal dictionary and potentially cause a denial of service through resource exhaustion.
Upstream addressed these by switching to random, unpredictable cookies, hardening type handling, and limiting the number of simultaneous profile holds to 16.
| CVE ID | Affected component | Severity / Notes |
| CVE-2025-67859 | TLP 1.9.0 profiles daemon | High – authentication bypass, local root-controlled daemon. |
The main Polkit bypass is tracked as CVE-2025-67859, while the predictable cookies and unbounded profile holds were judged low severity and not given separate identifiers, in agreement with upstream.
behaviour Successful exploitation lets a local user tamper with power policy and related daemon behaviour, which in tightly controlled environments can undermine security expectations around performance, logging, and system behaviour.
According to the SUSE security team, the issues were reported under a coordinated disclosure process, with upstream patches developed in December 2025 and released as TLP 1.9.1 on January 7, 2026.
Users are advised to upgrade to TLP 1.9.1 or later through their distribution packages and to ensure only trusted local users have access to D-Bus and system power management interfaces.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.