TLP is a utility for saving laptop battery power when running Linux. In version 1.9.0 of TLP a profiles daemon has been added to the project, which provides a D-Bus interface for controlling different power profiles. An unsafe use of the Polkit authentication API in this daemon allows local users to bypass authorization and gain arbitrary control over power profiles and log level settings of TLP. While looking into the new daemon we also found a few other security issues in the area of local Denial-of-Service.

Bugfix Release Power Profiles (tlp-pd) Fix Polkit Authentication Bypass in Profiles Daemon in Version 1.9.0 (CVE-2025-67859) Version 1.8.0 and older are not affected Ensure that all processes tha...