CVE-2025-67859

Name of the Vulnerable Software and Affected Versions TLP versions prior to 1.9.1 TLP version 1.9.0

Description TLP version 1.9.0 introduces a profiles daemon that provides a D-Bus interface. A flaw exists in this daemon that allows local attackers to bypass Polkit authentication. This bypass is due to a race condition within Polkit, enabling unauthorized modification of power profiles and system power settings without administrative privileges. This issue is particularly relevant in shared or multi-user Linux systems, where unprivileged users could potentially gain unauthorized control over power-management settings.

Recommendations Update TLP to version 1.9.1 or later.