Cybersecurity researchers have uncovered two native privilege escalation (LPE) flaws that might be exploited to realize root privileges on machines working main Linux distributions.
The vulnerabilities, found by Qualys, are listed beneath –
- CVE-2025-6018 – LPE from unprivileged to allow_active in SUSE 15’s Pluggable Authentication Modules (PAM)
- CVE-2025-6019 – LPE from allow_active to root in libblockdev through the udisks daemon
“These fashionable ‘local-to-root’ exploits have collapsed the hole between an atypical logged-in consumer and a full system takeover,” Saeed Abbasi, Senior Supervisor at Qualys Risk Analysis Unit (TRU), stated.
“By chaining reliable providers akin to udisks loop-mounts and PAM/surroundings quirks, attackers who personal any lively GUI or SSH session can vault throughout polkit’s allow_active belief zone and emerge as root in seconds.”
The cybersecurity firm stated CVE-2025-6018 is current within the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15, enabling an unprivileged native attacker to raise to the “allow_active” consumer and name Polkit actions which might be in any other case reserved for a bodily current consumer.
CVE-2025-6019, alternatively, impacts libblockdev and is exploitable through the udisks daemon included by default on most Linux distributions. It primarily permits an “allow_active” consumer to realize full root privileges by chaining it with CVE-2025-6018.
“Though it nominally requires ‘allow_active’ privileges, udisks ships by default on nearly all Linux distributions, so practically any system is susceptible,” Abbasi added. “Methods to acquire ‘allow_active,’ together with the PAM situation disclosed right here, additional negate that barrier.”
As soon as root privileges are obtained, an attacker has carte blanche entry to the system, permitting them use it as a springboard for broader post-compromise actions, akin to altering safety controls and implanting backdoors for covert entry.
Qualys stated it has developed proof-of-concept (PoC) exploits to verify the presence of those vulnerabilities on varied working techniques, together with Ubuntu, Debian, Fedora, and openSUSE Leap 15.
To mitigate the chance posed by these flaws, it is important to use patches supplied by the Linux distribution distributors. As non permanent workarounds, customers can modify the Polkit rule for “org.freedesktop.udisks2.modify-device” to require administrator authentication (“auth_admin”).
Flaw Disclosed in Linux PAM
The disclosure comes as maintainers of Linux PAM resolved a high-severity path traversal flaw (CVE-2025-6020, CVSS rating: 7.8) that would additionally permit an area consumer to escalate to root privileges. The difficulty has been mounted in model 1.7.1.
“The module pam_namespace in linux-pam <= 1.7.0 could entry user-controlled paths with out correct protections, which permits an area consumer to raise their privileges to root through a number of symlink assaults and race situations,” Linux PAM maintainer Dmitry V. Levin stated.
Linux techniques are susceptible in the event that they use pam_namespace to arrange polyinstantiated directories for which the trail to both the polyinstantiated listing or occasion listing is below user-control. As workarounds for CVE-2025-6020, customers can disable pam_namespace or guarantee it doesn’t function on user-controlled paths.
ANSSI’s Olivier Bal-Petre, who reported the flaw to the maintainer on January 29, 2025, stated customers also needs to replace their namespace.init script if they don’t use the one supplied by their distribution to make sure that the both of two paths are secure to function on as root.
