cbcvebase.
CVE-2025-6019
published 2025-06-19

CVE-2025-6019: A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to…

PriorityP180high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
0.42%
33.9th percentile
A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.

Affected

1 ranges
VendorProductVersion rangeFixed in
debianlibblockdev< libblockdev 2.28-2+deb12u1 (bookworm)libblockdev 2.28-2+deb12u1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

filename~/.pam_environment
  • Monitor for udisks D-Bus calls to resize loop-mounted filesystem images, particularly XFS images, from non-root users — this is the core exploit primitive for CVE-2025-6019.
  • Alert on loop-mount events where the filesystem is mounted WITHOUT nosuid/nodev flags by the udisks daemon, as the exploit bypasses these security flags during the resize operation.
  • Detect creation or modification of ~/.pam_environment files, especially those containing XDG_SEAT, XDG_VTNR, XDG_SESSION_TYPE, or XDG_SESSION_CLASS overrides, which are used to fake allow_active session context (CVE-2025-6018 chain step).
  • Detect SUID-root binaries appearing inside user-controlled loop-mounted filesystem images, particularly XFS images, as this is the payload delivery mechanism.
  • Look for SSH sessions where the connecting user subsequently gains allow_active polkit context — on SUSE/openSUSE 15 systems this indicates CVE-2025-6018 exploitation as a precursor to CVE-2025-6019.
  • Audit for the exploit script artifact 'cve_2025_6018_exploit.log' on disk, which is written by the public PoC exploit tool targeting CVE-2025-6018/6019.
  • ·The exploit requires the attacker to already have 'allow_active' polkit context. On Red Hat systems, the default configuration prevents remote users (e.g., SSH) from appearing as local users, significantly reducing remote exploitability.
  • ·Changing the polkit rule for 'org.freedesktop.udisks2.modify-device' from allow_active=yes to auth_admin is a documented workaround, but vendor patches should be prioritized.

CVSS provenance

nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.0HIGH
vulncheck7.0HIGH
vendor_debian7.0HIGH
vendor_redhat7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.