CVE-2025-8067: 
Rocky Linux vulnerability analysis and mitigation

CVE-2025-8067 is an out-of-bounds read vulnerability discovered in the UDisks daemon, disclosed on August 28, 2025. The vulnerability affects the UDisks project, which provides a daemon, tools, and libraries to access and manipulate disks and storage devices. The flaw allows unprivileged users to create loop devices using the D-BUS system (NVD, Red Hat).

The vulnerability exists in the loop device handler of the UDisks daemon, which processes requests through the D-BUS interface. The handler accepts file descriptor list and index parameters to specify the backing file for loop devices. While the function validates the upper bound of the index value, it fails to validate the lower bound, allowing negative index values. This results in an out-of-bounds read vulnerability. The issue has been assigned a CVSS v3.1 base score of 8.5 (High) with the vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H (OSS Security).

Successful exploitation of this vulnerability can lead to two primary outcomes: 1) A crash of the daemon process resulting in a denial of service, or 2) Mapping of an internal file descriptor from the daemon process onto a loop device, which could lead to local privilege escalation by gaining access to files owned by privileged users (OSS Security).

The vulnerability has been fixed in udisks2 versions 2.10.91 and 2.10.2. Updates have been released for various Linux distributions including Red Hat Enterprise Linux 8, 9, and 10 through security advisories RHSA-2025:15017, RHSA-2025:15018, and RHSA-2025:15020 respectively. Users are advised to update to the patched versions (ASEC).