A critical security vulnerability has been discovered in TLP, a widely used Linux laptop battery optimization utility, allowing local attackers to bypass authentication controls and manipulate system power settings without authorization.
Security researchers from openSUSE identified a severe authentication bypass flaw in the power profiles daemon in TLP version 1.9.0, tracked as CVE-2025-67859.
The vulnerability exploits a race condition in the Polkit authorization mechanism, enabling unprivileged local users to gain unauthorized control over power management configurations.
The flaw originated when TLP 1.9.0 introduced a new profiles daemon featuring a D-Bus API for controlling power settings.
| CVE ID | Severity | Attack Vector | Impact |
|---|---|---|---|
| CVE-2025-67859 | High | Local | Polkit Authentication Bypass |
During a routine security review requested by SUSE’s package maintainer, researchers discovered the daemon relied on Polkit’s deprecated “unix-process” subject for authentication, a method known to be vulnerable since CVE-2013-4288.
The vulnerability stems from the daemon’s unsafe handling of process identification during authorization checks.
When authenticating D-Bus clients, the system passes the caller’s process ID (PID) to Polkit for verification.
However, a race condition exists between when the PID is captured and when Polkit validates it, allowing attackers to substitute their process for one with higher privileges.
How the Attack Works
This authentication bypass grants local users complete control over TLP’s power profile settings and logging configurations without requiring administrative credentials.
While the attack requires local access, it poses significant risks in multi-user environments and shared systems.
Beyond the primary authentication bypass, researchers identified three additional security issues:
| Issue Type | Description | Security Impact |
|---|---|---|
| Predictable Cookie Values | Authentication tokens use sequential integers starting from zero, making them easy to guess. | Attackers can hijack or interfere with power management holds created by other users. |
| Denial-of-Service (DoS) Vulnerability | Unlimited profile holds can be created without authentication. | System resources can be exhausted, leading to daemon crashes due to excessive memory usage. |
| Exception Handling Flaws | Improper input validation in the ReleaseProfile method allows malformed parameters. |
Unhandled exceptions are triggered, but the daemon continues running, risking instability. |
The openSUSE security team reported all findings to TLP’s upstream developer on December 16, 2025, initiating a coordinated disclosure process.
After collaborative patch development over the holiday season, TLP version 1.9.1 was released on January 7, 2026, containing comprehensive fixes for all identified vulnerabilities.
The patches implement robust D-Bus “system bus name” authentication, and replace predictable cookies with cryptographically random values.
Enforce a maximum of 16 concurrent profile holds, and strengthen input validation throughout the daemon. Linux users running TLP should immediately upgrade to version 1.9.1 or later.
System administrators managing multi-user environments should prioritize this update, as the vulnerability allows privilege escalation within power management subsystems.
Distribution maintainers have been notified and are releasing updated packages through standard channels.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
