| Package | udisks2 |
|---|---|
| Version | 2.1.8-1+deb9u2 (stretch), 2.8.1-4+deb10u4 (buster) |
| Related CVEs | CVE-2025-8067 |
Michael Imfeld discovered an out-of-bounds read vulnerability in udisks2, which may result in denial of service (daemon process crash), or in mapping an internal file descriptor from the daemon process onto a loop device, resulting in local privilege escalation.
For Debian 10 buster, these problems have been fixed in version 2.8.1-4+deb10u4.
For Debian 9 stretch, these problems have been fixed in version 2.1.8-1+deb9u2.
We recommend that you upgrade your udisks2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.