CVE-2025-6019
published 2025-06-19CVE-2025-6019: A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to…
PriorityP180high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
0.42%
33.9th percentile
A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libblockdev | < libblockdev 2.28-2+deb12u1 (bookworm) | libblockdev 2.28-2+deb12u1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for udisks D-Bus calls to resize loop-mounted filesystem images, particularly XFS images, from non-root users — this is the core exploit primitive for CVE-2025-6019. ↗
- →Alert on loop-mount events where the filesystem is mounted WITHOUT nosuid/nodev flags by the udisks daemon, as the exploit bypasses these security flags during the resize operation. ↗
- →Detect creation or modification of ~/.pam_environment files, especially those containing XDG_SEAT, XDG_VTNR, XDG_SESSION_TYPE, or XDG_SESSION_CLASS overrides, which are used to fake allow_active session context (CVE-2025-6018 chain step). ↗
- →Detect SUID-root binaries appearing inside user-controlled loop-mounted filesystem images, particularly XFS images, as this is the payload delivery mechanism. ↗
- →Look for SSH sessions where the connecting user subsequently gains allow_active polkit context — on SUSE/openSUSE 15 systems this indicates CVE-2025-6018 exploitation as a precursor to CVE-2025-6019. ↗
- →Audit for the exploit script artifact 'cve_2025_6018_exploit.log' on disk, which is written by the public PoC exploit tool targeting CVE-2025-6018/6019. ↗
- ·The exploit requires the attacker to already have 'allow_active' polkit context. On Red Hat systems, the default configuration prevents remote users (e.g., SSH) from appearing as local users, significantly reducing remote exploitability. ↗
- ·Changing the polkit rule for 'org.freedesktop.udisks2.modify-device' from allow_active=yes to auth_admin is a documented workaround, but vendor patches should be prioritized. ↗
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.0HIGH
vulncheck7.0HIGH
vendor_debian7.0HIGH
vendor_redhat7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-6019: A Local Privilege Escalation (LPE) vulnerability was found in libblockdev
osv·2025-06-19·CVSS 7.0
CVE-2025-6019 [HIGH] CVE-2025-6019: A Local Privilege Escalation (LPE) vulnerability was found in libblockdev
A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.
GHSA
GHSA-mpgj-hch9-5rvx: A Local Privilege Escalation (LPE) vulnerability was found in libblockdev
ghsa_unreviewed·2025-06-19
CVE-2025-6019 [HIGH] CWE-250 GHSA-mpgj-hch9-5rvx: A Local Privilege Escalation (LPE) vulnerability was found in libblockdev
A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.
VulnCheck
gitoxidelabs gix-date Execution with Unnecessary Privileges
vulncheck·2025·CVSS 7.0
CVE-2025-6019 [HIGH] gitoxidelabs gix-date Execution with Unnecessary Privileges
gitoxidelabs gix-date Execution with Unnecessary Privileges
A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shel
Ubuntu
libblockdev vulnerability
vendor_ubuntu·2025-06-18
CVE-2025-6019 libblockdev vulnerability
Title: libblockdev vulnerability
Summary: libblockdev could be made to run programs as an administrator.
USN-7577-1 fixed a vulnerability in libblockdev. This update provides
the corresponding update for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that libblockdev incorrectly handled mount options when
resizing certain filesystems. A local attacker with an active session on
the console can use this issue to escalate their privileges to root.
Instructions: After a standard system update you need to reboot your computer to make all
the necessary changes.
Ubuntu
UDisks vulnerability
vendor_ubuntu·2025-06-18
CVE-2025-6019 UDisks vulnerability
Title: UDisks vulnerability
Summary: UDisks could be made to run programs as an administrator.
It was discovered that UDisks incorrectly handled mount options when
resizing certain filesystems. A local attacker with an active session on
the console can use this issue to escalate their privileges to root.
Instructions: After a standard system update you need to reboot your computer to make all
the necessary changes.
Ubuntu
UDisks vulnerability
vendor_ubuntu·2025-06-18
CVE-2025-6019 UDisks vulnerability
Title: UDisks vulnerability
Summary: UDisks could be made to run programs as an administrator.
USN-7578-1 fixed a vulnerability in UDisks. This update provides
the corresponding update for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that UDisks incorrectly handled mount options when
resizing certain filesystems. A local attacker with an active session on
the console can use this issue to escalate their privileges to root.
Instructions: After a standard system update you need to reboot your computer to make all
the necessary changes.
Ubuntu
libblockdev vulnerability
vendor_ubuntu·2025-06-18
CVE-2025-6019 libblockdev vulnerability
Title: libblockdev vulnerability
Summary: libblockdev could be made to run programs as an administrator.
It was discovered that libblockdev incorrectly handled mount options when
resizing certain filesystems. A local attacker with an active session on
the console can use this issue to escalate their privileges to root.
Instructions: After a standard system update you need to reboot your computer to make all
the necessary changes.
Red Hat
libblockdev: LPE from allow_active to root in libblockdev via udisks
vendor_redhat·2025-06-17·CVSS 7.0
CVE-2025-6019 [HIGH] CWE-250 libblockdev: LPE from allow_active to root in libblockdev via udisks
libblockdev: LPE from allow_active to root in libblockdev via udisks
A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-
Debian
CVE-2025-6019: libblockdev - A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Gener...
vendor_debian·2025·CVSS 7.0
CVE-2025-6019 [HIGH] CVE-2025-6019: libblockdev - A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Gener...
A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.
Scope: local
bookw
No detection rules found.
Bleepingcomputer
New Linux udisks flaw lets attackers get root on major Linux distros
blogs_bleepingcomputer·2025-06-18·CVSS 7.0
[HIGH] New Linux udisks flaw lets attackers get root on major Linux distros
## New Linux udisks flaw lets attackers get root on major Linux distros
## Sergiu Gatlan
While successfully abusing the two flaws as part of a "local-to-root" chain exploit can let attackers quickly gain root and completely take over a SUSE system, the libblockdev/udisks flaw is also extremely dangerous on its own.
"Although it nominally requires 'allow_active' privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable," said Qualys TRU senior manager Saeed Abbasi.
"Techniques to gain 'allow_active,' including the PAM issue disclosed here, further negate that barrier. An attacker can chain these vulnerabilities for immediate root compromise with minimal effort."
The Qualys Threat Research Unit (TRU), which discovered and reported both fla
Bleepingcomputer
CISA warns of attackers exploiting Linux flaw with PoC exploit
blogs_bleepingcomputer·2025-06-18·CVSS 7.8
CVE-2023-0386 [HIGH] CISA warns of attackers exploiting Linux flaw with PoC exploit
## CISA warns of attackers exploiting Linux flaw with PoC exploit
## Sergiu Gatlan
According to an analysis by Datadog Security Labs, CVE-2023-0386 is trivial to exploit and impacts a wide range of Linux distributions, including popular ones like Debian, Red Hat, Ubuntu, and Amazon Linux, if they're using a kernel version lower than 6.2.
"Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel's OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount," CISA explains . "This uid mapping bug allows a local user to escalate their privileges on the system."
As mandated by the November 2021 Binding Operational Directive (BOD) 22-
Qualys
Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev/udisks | Qualys
blogs_qualys·2025-06-17·CVSS 7.8
CVE-2025-6018 [HIGH] Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev/udisks | Qualys
#### Table of Contents
- Understanding PAM and udisks/libblockdev
- Potential Impact
- Mitigation Guideline for libblockdev/udisks Vulnerability
- Technical Details
- Qualys QID Coverage
- Conclusion
The Qualys Threat Research Unit (TRU) has discovered two linked local privilege escalation (LPE) flaws.
The first (CVE-2025-6018) resides in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. Using this vulnerability, an unprivileged local attacker—for example, via SSH—can elevate to the “allow_active” user and invoke polkit actions normally reserved for a physically present user.
The second (CVE-2025-6019) affects libblockdev, is exploitable via the udisks daemon included by default on most Linux distributions, and allows an “allow_active” user to gain full root privi
Qualys
Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev/udisks
blogs_qualys·2025-06-17·CVSS 7.8
CVE-2025-6018 [HIGH] Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev/udisks
## Table of Contents
Understanding PAM and udisks/libblockdev
Potential Impact
Mitigation Guideline for libblockdev/udisks Vulnerability
Technical Details
Qualys QID Coverage
Conclusion
The Qualys Threat Research Unit (TRU) has discovered two linked local privilege escalation (LPE) flaws.
The first (CVE-2025-6018) resides in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. Using this vulnerability, an unprivileged local attacker—for example, via SSH—can elevate to the “allow_active” user and invoke polkit actions normally reserved for a physically present user.
The second (CVE-2025-6019) affects libblockdev, is exploitable via the udisks daemon included by default on most Linux distributions, and allows an “allow_active” user to gain full root privileges. Al
https://access.redhat.com/errata/RHSA-2025:10796https://access.redhat.com/errata/RHSA-2025:9320https://access.redhat.com/errata/RHSA-2025:9321https://access.redhat.com/errata/RHSA-2025:9322https://access.redhat.com/errata/RHSA-2025:9323https://access.redhat.com/errata/RHSA-2025:9324https://access.redhat.com/errata/RHSA-2025:9325https://access.redhat.com/errata/RHSA-2025:9326https://access.redhat.com/errata/RHSA-2025:9327https://access.redhat.com/errata/RHSA-2025:9328https://access.redhat.com/errata/RHSA-2025:9878https://access.redhat.com/security/cve/CVE-2025-6019https://bugzilla.redhat.com/show_bug.cgi?id=2370051https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txthttp://www.openwall.com/lists/oss-security/2025/06/17/5http://www.openwall.com/lists/oss-security/2025/06/17/6http://www.openwall.com/lists/oss-security/2025/06/18/1https://lists.debian.org/debian-lts-announce/2025/06/msg00018.htmlhttps://news.ycombinator.com/item?id=44325861https://www.bleepingcomputer.com/news/linux/new-linux-udisks-flaw-lets-attackers-get-root-on-major-linux-distros/
2025-06-19
Published
Exploited in the wild