CVE-2025-27512

Name of the Vulnerable Software and Affected Versions Zincati versions 0.0.24 through 0.0.29

Description The issue is related to a logic error in a polkit rule shipped with Zincati, which allows any unprivileged user to deploy updates to the system and reboot into the deployed update. This means that an unprivileged user with access to the system D-Bus socket can deploy older Fedora CoreOS versions, potentially introducing known vulnerabilities. The impact is primarily on users running untrusted workloads with access to the system D-Bus socket. Note that containers do not have access to the system D-Bus socket by default.

Recommendations For Zincati versions 0.0.24 through 0.0.29, update to version 0.0.30 to fix the logic error in the polkit rule. As a temporary workaround for versions 0.0.24 through 0.0.29, manually add a polkit rule as described in the GitHub Security Advisory.