Pierluigi Paganini
June 20, 2025
Qualys researchers discovered two local privilege escalation (LPE) vulnerabilities, an attacker can exploit them to gain root privileges on machines running major Linux distributions.
The two vulnerabilities are:
The second vulnerability (CVE-2025-6019), found in libblockdev and exploitable through the default udisks service, lets a physical or compromised user escalate their access to full root privileges. When combined, these two flaws allow an unprivileged attacker to gain full control over a system.
While attacks that start from any unprivileged user and lead to root access are generally more concerning, this chain of vulnerabilities is particularly dangerous because of how easily they can be linked together.
Researchers also pointed to similar recent high-profile exploits that relied on the same “allow_active” user loophole, and a recent blog post by Pumpkin Chang showing how attackers could abuse D-Bus and Polkit rules to impersonate physical users via SSH.
“Although CVE-2025-6019 on its own requires existing allow_active context, chaining it with CVE-2025-6018 enables a purely unprivileged attacker to achieve full root access.” reads the report published by Qualys. “This libblockdev/udisks flaw is extremely significant. Although it nominally requires “allow_active” privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable. Techniques to gain “allow_active”, including the PAM issue disclosed here, further negate that barrier. An attacker can chain these vulnerabilities for immediate root compromise with minimal effort.”
Qualys confirmed the flaws affect systems like Ubuntu, Debian, FQualys and also developed proof-of-concept exploits to demonstrate the vulnerabilities on these operating systems.
Users should apply security patches to address the flaws or, as a temporary fix, adjust Polkit rules to require admin authentication.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Linux)
