A critical vulnerability in the TLP Linux power management tool has been fixed after researchers discovered it allowed local attackers to bypass authentication and alter system settings. The flaw, identified in version 1.9.0 and tracked as CVE-2025-67859, stemmed from a race condition in the Polkit mechanism. TLP developers released version 1.9.1 on January 7, 2026, addressing the issue following coordinated disclosure.
Security researchers from SUSE and openSUSE uncovered a severe authentication bypass in TLP version 1.9.0, a popular utility for optimizing laptop battery life on Linux systems. Tracked as CVE-2025-67859, the vulnerability exploited Polkit's deprecated "unix-process" subject, which relies on process IDs for authorization. This method, known to be susceptible to race conditions since CVE-2013-4288, allowed local unprivileged users to substitute their processes during authentication checks, gaining control over power profiles and daemon logging without administrative credentials.
The issue arose with the introduction of a new power daemon in TLP 1.9.0, featuring a D-Bus API for system settings. Researchers Matthias Gerstner and Filippo Bonazzi identified that attackers could exploit this to arbitrarily modify configurations in multi-user environments, posing risks of system tampering.
Additional flaws included predictable cookie values enabling unauthorized release of profile holds, unhandled exceptions from malformed requests, and unlimited profile holds that could lead to denial-of-service attacks. These collectively widened the attack surface.
On December 16, 2025, the researchers notified TLP's upstream developer, who responded promptly and provided patches within four days. After review, TLP 1.9.1 was released on January 7, 2026, implementing key fixes: switching to Polkit's secure "system bus name" subject, using cryptographically random cookie values, limiting concurrent profile holds to 16, and enhancing input validation.
Linux users and administrators are urged to update to version 1.9.1 or later via their distribution's package manager. This incident highlights the need for robust security in utilities handling privileged D-Bus operations, with the swift collaborative response exemplifying effective vulnerability management.
