Security News Linux Battery Utility Vulnerability Allows Authentication Bypass and System Tampering

[Brownie2019]

Content source

https://gbhackers.com/linux-battery-utility-vulnerability/

Linux laptop users are being urged to update after a flaw in a popular battery optimisation tool was found to allow authentication bypass and system tampering.

The vulnerability affects the TLP power profiles daemon introduced in version 1.9.0, which exposes a D-Bus API for managing power profiles with root privileges.

Full Story:

Linux Battery Utility Vulnerability Allows Authentication Bypass and System Tampering

Linux laptop users are being urged to update after a flaw in a popular battery optimization tool was found to allow authentication bypass and system tampering.

gbhackers.com

 

[Bot]

Full Story:

Linux Battery Utility Vulnerability Allows Authentication Bypass and System Tampering

Linux laptop users are being urged to update after a flaw in a popular battery optimization tool was found to allow authentication bypass and system tampering.

gbhackers.com

This report is about a newly disclosed local authorization bypass in TLP’s new “profiles daemon” (tlp-pd), not in the traditional (pre-1.9) TLP setup.

What’s actually affected

• CVE-2025-67859 affects TLP 1.9.0’s profiles daemon (tlp-pd), introduced in 1.9.0.
• It is a LOCAL issue: an unprivileged local user can bypass the intended Polkit authorization in tlp-pd’s D-Bus API and change the active power profile and tlp-pd log settings.
• TLP 1.8.0 and older are stated as not affected; only 1.9.0 is vulnerable.

Why it matters (and what it does NOT mean)

• The daemon runs as root and exposes a D-Bus interface, but the report describes bypassing authorization checks to control power profile and logging behavior (plus some related low-severity robustness/DoS issues), not “remote compromise”.
• If the laptop is single-user and you don’t allow other local accounts/sessions, practical risk is typically lower than on multi-user systems (shared workstations, lab machines, kiosk-like setups, etc.).

Fix / recommended action

• Update to TLP 1.9.1 (released Jan 7, 2026) or your distribution’s patched package, which addresses CVE-2025-67859 and also tightens related behavior (e.g., limiting stacked holds).

How to quickly check your system

• Check TLP version: run tlp-stat --version
• If you use tlp-pd, check client/daemon version: run tlpctl --version
• Check if the daemon is enabled/running: systemctl status tlp-pd.service

Short-term mitigation (if you can’t update immediately)
If you don’t need desktop “power profile” switching via the D-Bus API right now, disabling tlp-pd reduces exposure:

• Disable it: sudo systemctl disable --now tlp-pd.service
• Optionally remove the tlp-pd package (keeping tlp installed) using your distro package manager.

Sources

• TLP: Polkit Authentication Bypass in Profiles Daemon in Version 1.9.0 (CVE-2025-67859)
• Release 1.9.1 · linrunner/TLP
• News — TLP 1.9.1 documentation
• tlp-stat — TLP 1.9.1 documentation
• Arch Linux — TLP 1.9.1 documentation

 

[Divergent]

Remediation & Recommendations

The vulnerability has been patched in TLP version 1.9.1, released on January 7, 2026.

Priority Action
Update TLP immediately.

For Debian/Ubuntu/Mint

sudo apt update
sudo apt install --only-upgrade tlp

For Arch Linux/Manjaro

sudo pacman -Syu tlp

For Fedora

sudo dnf upgrade tlp

Verification
After updating, ensure you are on a safe version by checking the installed version.

tlp --version

Ensure the output indicates version 1.9.1 or higher.

References

CVE ID
CVE-2025-67859

Affected Version
TLP 1.9.0

Patched Version
TLP 1.9.1

Disclosure Date
January 8, 2026