Cybersecurity researchers have recently identified two significant local privilege escalation (LPE) vulnerabilities that could allow unprivileged users to obtain root access on major Linux distributions. These vulnerabilities were discovered by Qualys and are delineated as follows:
- CVE-2025-6018: This vulnerability exists in the Pluggable Authentication Modules (PAM) configuration of SUSE 15 and can escalate an unprivileged local user to an "allow_active" user.
- CVE-2025-6019: This LPE issue is found within
libblockdev, which can be exploited via theudisksdaemon, allowing an "allow_active" user to gain full root privileges when combined with CVE-2025-6018.
Saeed Abbasi, Senior Manager at Qualys Threat Research Unit, noted that modern exploits have diminished the distinction between a regular logged-in user and a full system takeover. By leveraging this vulnerability, attackers can exploit a legitimate service such as udisks to navigate through the Polkit trust zone and elevate their privileges almost instantaneously.
CVE-2025-6018 enables unauthorized users to interact with Polkit actions meant only for physical users. Meanwhile, CVE-2025-6019 impacts the udisks daemon, which is included by default across most Linux distributions, meaning that the vast majority of systems are susceptible. The ease with which users can gain "allow_active" status, particularly through the previously mentioned PAM issue, exacerbates this vulnerability.
Once an attacker achieves root access, they have unrestricted control over the system, which allows for further malicious actions, including the modification of security mechanisms and the establishment of backdoors for future access.
Qualys has developed proof-of-concept exploits to validate the existence of these vulnerabilities across various operating systems, including Ubuntu, Debian, and Fedora.
To protect against these vulnerabilities, it is crucial for users to apply patches from their respective Linux distribution vendors promptly. As a temporary workaround, users are advised to alter the Polkit rule for "org.freedesktop.udisks2.modify-device" to necessitate administrator authentication.
Additional Flaw in Linux PAM
The vulnerabilities were disclosed shortly after the Linux PAM maintainers addressed a critical path traversal issue (CVE-2025-6020, CVSS score: 7.8). This flaw could similarly allow local users to escalate their privileges to root and has been patched in version 1.7.1.
According to maintainer Dmitry V. Levin, the affected module pam_namespace in versions of Linux-PAM prior to 1.7.0 could be manipulated to gain root access through various symlink attacks. Users utilizing pam_namespace for setting up polyinstantiated directories must ensure these paths are safe from user control to remain secure.
Olivier Bal-Petre from ANSSI, the security agency of France, reported the vulnerability on January 29, 2025. Users should also update their namespace.init script if they use a version not provided by their distribution to ensure that specific paths are secure for root operations.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.