CVE-2025-67859: Critical Auth Bypass Discovered in Popular Linux Battery Utility
Ddos 
A critical security flaw has been unearthed in TLP, the widely used power management utility for Linux laptops, potentially allowing unauthorized users to bypass authentication checks and tamper with system settings. The discovery comes from the SUSE Security Team, who stumbled upon the vulnerability during a routine package review.
The flaw, tracked as CVE-2025-67859, affects the new “profiles daemon” introduced in TLP version 1.9.0. This daemon runs with root privileges and is designed to manage power settings via a D-Bus API, but a logic error in its Polkit authentication mechanism left the door wide open.
The core of the issue lies in how the daemon verifies user permissions. SUSE researchers were asked to review the new changes in the TLP release, leading to a flaw.
“Our SUSE TLP package maintainer asked us for a review of the changes contained in the new TLP release, leading us to discover issues in the Polkit authentication logic used in TLP’s profiles daemon, which allow a complete authentication bypass,” the report states.
Essentially, the check intended to secure the root-privileged daemon was flawed, meaning any local user could potentially issue commands without proper authorization.
In addition to the authentication bypass, the team identified other security weaknesses related to resource exhaustion.
One issue involves the “profile hold” mechanism, which allows users to temporarily lock a specific power profile. The researchers found that “local users in an active session to create an unlimited number of profile holds without admin authentication”.
This lack of limits creates a clear path for a Denial-of-Service (DoS) attack. “This can lead to resource exhaustion in the TLP power daemon, since an integer is entered into a Python dictionary along with arbitrary strings reason and application_id which are also supplied by the client”.
Interestingly, the report notes that: “We found a similar issue in GNOME’s power profile daemon some years ago, but GNOME upstream disagreed with our analysis at the time”.
A third finding involved the generation of “cookies” used to track these profile holds. The analysis revealed that “the profile hold mechanism described in section 3.2 allows local users… to create an unlimited number of profile holds,” and earlier sections noted that it “introduces unpredictable cookie values” was actually a concern about predictable values in the context of the DoS attack surface.
The SUSE team acted quickly, reporting the issues to the upstream maintainers in December. The fix involves restricting the number of concurrent profile holds to a maximum of 16 to prevent resource exhaustion.
Linux users running TLP are strongly advised to upgrade to version 1.9.1 immediately to close these security gaps.
Donate