Linux battery utility TLP patched after authentication bypass flaw

Security researchers from SUSE and openSUSE uncovered a severe authentication bypass in TLP version 1.9.0, a popular utility for optimizing laptop battery life on Linux systems. Tracked as CVE-2025-67859, the vulnerability exploited Polkit's deprecated "unix-process" subject, which relies on process IDs for authorization. This method, known to be susceptible to race conditions since CVE-2013-4288, allowed local unprivileged users to substitute their processes during authentication checks, gaining control over power profiles and daemon logging without administrative credentials.

The issue arose with the introduction of a new power daemon in TLP 1.9.0, featuring a D-Bus API for system settings. Researchers Matthias Gerstner and Filippo Bonazzi identified that attackers could exploit this to arbitrarily modify configurations in multi-user environments, posing risks of system tampering.

Additional flaws included predictable cookie values enabling unauthorized release of profile holds, unhandled exceptions from malformed requests, and unlimited profile holds that could lead to denial-of-service attacks. These collectively widened the attack surface.

On December 16, 2025, the researchers notified TLP's upstream developer, who responded promptly and provided patches within four days. After review, TLP 1.9.1 was released on January 7, 2026, implementing key fixes: switching to Polkit's secure "system bus name" subject, using cryptographically random cookie values, limiting concurrent profile holds to 16, and enhancing input validation.

Linux users and administrators are urged to update to version 1.9.1 or later via their distribution's package manager. This incident highlights the need for robust security in utilities handling privileged D-Bus operations, with the swift collaborative response exemplifying effective vulnerability management.