Affected software:
- TLP version 1.9.0 — a widely installed Linux laptop power-management/optimization utility that runs a daemon to adjust power profiles.
Vulnerability type:
- Authentication bypass (Polkit) — allows unprivileged local users to bypass intended authorization checks.
Severity:
- Reported as critical / high severity in many security reports (real-world impact) despite some vendor lists classifying it more moderately
| Aspect | Details |
|---|---|
| CVE ID | CVE-2025-67859 |
| Component | TLP battery/power manager (Linux) |
| Vulnerability | Local authentication bypass via Polkit |
| Affected version | TLP ≤ 1.9.0 |
| Fixed version | TLP 1.9.1+ |
| Impact | Unauthorized power profile modification; potential DoS |
The vulnerability lies in how TLP’s new “profiles daemon” performs authentication via Polkit (PolicyKit), the Linux authorization framework:
- The daemon introduced in TLP 1.9.0 relies on an outdated Polkit method based on process IDs.
- Because of a race condition in how Polkit checks a caller’s credentials, a local non-privileged user could trick the system into thinking they are authorized.
- This lets the attacker issue privileged actions — like changing power profiles or altering daemon log configurations — without administrative credentials.
Impact & Risks
- Local privilege misuse: Any user with local shell access could modify global power settings or daemon behavior without root.
- Expanded attack surface: Other implementation flaws found alongside this issue include:
- Predictable “cookie” values, enabling easier unauthorized interactions.
- Unlimited profile holds, which can be abused for a denial-of-service (DoS) condition.
- Unhandled exceptions on malformed input.
- While remote exploitation isn’t directly possible, on multi-user systems (e.g., shared servers, lab machines, or desktop environments) it poses real risk of privilege escalation and configuration tampering.
Mitigation & Fixes
Fixed in TLP version 1.9.1 (released Jan 7, 2026)
- The developers have patched the issue by:
- Using a more secure Polkit authentication approach (e.g., “system bus name” instead of deprecated methods).
- Replacing predictable cookie generation with robust random values.
- Limiting the number of concurrent profile holds to prevent DoS cases.
Action steps:
- Upgrade to TLP 1.9.1 or later through your distribution’s package manager.
- On systems where TLP isn’t needed, consider temporarily disabling the daemon until patched.
- Prioritize patching on systems with multiple local users or in enterprise images.
