Amazon Linux 2 Security Advisory: ALAS2-2025-2992
Advisory Released Date: 2025-09-16
Advisory Updated Date: 2025-09-16
A flaw was found in the Udisks daemon, where it allows unprivileged users to create loop devices using the D-BUS system. This is achieved via the loop device handler, which handles requests sent through the D-BUS interface. As two of the parameters of this handle, it receives the file descriptor list and index specifying the file where the loop device should be backed. The function itself validates the index value to ensure it isn't bigger than the maximum value allowed. However, it fails to validate the lower bound, allowing the index parameter to be a negative value. Under these circumstances, an attacker can cause the UDisks daemon to crash or perform a local privilege escalation by gaining access to files owned by privileged users. (CVE-2025-8067)
Affected Packages:
udisks2
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update udisks2 or yum update --advisory ALAS2-2025-2992 to update your system.
aarch64:
udisks2-2.7.3-9.amzn2.0.4.aarch64
libudisks2-2.7.3-9.amzn2.0.4.aarch64
udisks2-iscsi-2.7.3-9.amzn2.0.4.aarch64
udisks2-lvm2-2.7.3-9.amzn2.0.4.aarch64
udisks2-lsm-2.7.3-9.amzn2.0.4.aarch64
libudisks2-devel-2.7.3-9.amzn2.0.4.aarch64
udisks2-debuginfo-2.7.3-9.amzn2.0.4.aarch64
i686:
udisks2-2.7.3-9.amzn2.0.4.i686
libudisks2-2.7.3-9.amzn2.0.4.i686
udisks2-iscsi-2.7.3-9.amzn2.0.4.i686
udisks2-lvm2-2.7.3-9.amzn2.0.4.i686
udisks2-lsm-2.7.3-9.amzn2.0.4.i686
libudisks2-devel-2.7.3-9.amzn2.0.4.i686
udisks2-debuginfo-2.7.3-9.amzn2.0.4.i686
src:
udisks2-2.7.3-9.amzn2.0.4.src
x86_64:
udisks2-2.7.3-9.amzn2.0.4.x86_64
libudisks2-2.7.3-9.amzn2.0.4.x86_64
udisks2-iscsi-2.7.3-9.amzn2.0.4.x86_64
udisks2-lvm2-2.7.3-9.amzn2.0.4.x86_64
udisks2-lsm-2.7.3-9.amzn2.0.4.x86_64
libudisks2-devel-2.7.3-9.amzn2.0.4.x86_64
udisks2-debuginfo-2.7.3-9.amzn2.0.4.x86_64