CVE-2025-6019 - Vulnerability Details

A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 10
libblockdev-0:3.2.0-4.el10_0	cpe:/o:redhat:enterprise_linux:10.0	RHSA-2025:9328	2025-06-23T00:00:00Z
Red Hat Enterprise Linux 8
libblockdev-0:2.28-7.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:9878	2025-06-30T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
libblockdev-0:2.19-13.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:9320	2025-06-23T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
libblockdev-0:2.24-6.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:9321	2025-06-23T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
libblockdev-0:2.24-9.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:9322	2025-06-23T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
libblockdev-0:2.24-9.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:9322	2025-06-23T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
libblockdev-0:2.24-9.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:9322	2025-06-23T00:00:00Z
Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
libblockdev-0:2.28-3.el8_8	cpe:/a:redhat:rhel_e4s:8.8	RHSA-2025:9323	2025-06-23T00:00:00Z
Red Hat Enterprise Linux 9
libblockdev-0:2.28-14.el9_6	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:9327	2025-06-23T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
libblockdev-0:2.25-12.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:9324	2025-06-23T00:00:00Z
Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
libblockdev-0:2.28-5.el9_2	cpe:/a:redhat:rhel_e4s:9.2	RHSA-2025:9325	2025-06-23T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
libblockdev-0:2.28-11.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:9326	2025-06-23T00:00:00Z

References

Link	Providers
http://www.openwall.com/lists/oss-security/2025/06/17/5
http://www.openwall.com/lists/oss-security/2025/06/17/6
http://www.openwall.com/lists/oss-security/2025/06/18/1
https://access.redhat.com/errata/RHSA-2025:9320
https://access.redhat.com/errata/RHSA-2025:9321
https://access.redhat.com/errata/RHSA-2025:9322
https://access.redhat.com/errata/RHSA-2025:9323
https://access.redhat.com/errata/RHSA-2025:9324
https://access.redhat.com/errata/RHSA-2025:9325
https://access.redhat.com/errata/RHSA-2025:9326
https://access.redhat.com/errata/RHSA-2025:9327
https://access.redhat.com/errata/RHSA-2025:9328
https://access.redhat.com/errata/RHSA-2025:9878
https://access.redhat.com/security/cve/CVE-2025-6019
https://bugzilla.redhat.com/show_bug.cgi?id=2370051
https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
https://lists.debian.org/debian-lts-announce/2025/06/msg00018.html
https://news.ycombinator.com/item?id=44325861
https://nvd.nist.gov/vuln/detail/CVE-2025-6019
https://www.bleepingcomputer.com/news/linux/new-linux-udisks-flaw-lets-attackers-get-root-on-major-linux-distros/
https://www.cve.org/CVERecord?id=CVE-2025-6019

History

Mon, 30 Jun 2025 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8

Mon, 30 Jun 2025 02:45:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:8~~	cpe:/a:redhat:enterprise_linux:8::appstream cpe:/a:redhat:enterprise_linux:8::crb
References		https://access.redhat.com/errata/RHSA-2025:9878

Mon, 23 Jun 2025 14:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_e4s:8.8 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_e4s:9.2 cpe:/a:redhat:rhel_eus:9.4 cpe:/a:redhat:rhel_tus:8.6
References		https://news.ycombinator.com/item?id=44325861 https://www.bleepingcomputer.com/news/linux/new-linux-udisks-flaw-lets-attackers-get-root-on-major-linux-distros/

Mon, 23 Jun 2025 06:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s Redhat rhel Eus Redhat rhel Tus
CPEs	cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:9	cpe:/a:redhat:enterprise_linux:9::appstream cpe:/a:redhat:rhel_aus:8.2::appstream cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.6::appstream cpe:/a:redhat:rhel_e4s:8.8::appstream cpe:/a:redhat:rhel_e4s:9.0::appstream cpe:/a:redhat:rhel_e4s:9.2::appstream cpe:/a:redhat:rhel_eus:9.4::appstream cpe:/a:redhat:rhel_tus:8.6::appstream cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products		Redhat rhel Aus Redhat rhel E4s Redhat rhel Eus Redhat rhel Tus
References		https://access.redhat.com/errata/RHSA-2025:9320 https://access.redhat.com/errata/RHSA-2025:9321 https://access.redhat.com/errata/RHSA-2025:9322 https://access.redhat.com/errata/RHSA-2025:9323 https://access.redhat.com/errata/RHSA-2025:9324 https://access.redhat.com/errata/RHSA-2025:9325 https://access.redhat.com/errata/RHSA-2025:9326 https://access.redhat.com/errata/RHSA-2025:9327 https://access.redhat.com/errata/RHSA-2025:9328

Sat, 21 Jun 2025 23:15:00 +0000

Type	Values Removed	Values Added
References		https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt

Fri, 20 Jun 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 19 Jun 2025 12:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/06/17/5 http://www.openwall.com/lists/oss-security/2025/06/17/6 http://www.openwall.com/lists/oss-security/2025/06/18/1 https://lists.debian.org/debian-lts-announce/2025/06/msg00018.html

Thu, 19 Jun 2025 12:00:00 +0000

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.
Title	libblockdev: LPE from allow_active to root in libblockdev via udisks	Libblockdev: lpe from allow_active to root in libblockdev via udisks
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2025-6019 https://bugzilla.redhat.com/show_bug.cgi?id=2370051

Wed, 18 Jun 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		libblockdev: LPE from allow_active to root in libblockdev via udisks
Weaknesses		CWE-250
References		https://nvd.nist.gov/vuln/detail/CVE-2025-6019 https://www.cve.org/CVERecord?id=CVE-2025-6019
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-06-19T11:55:57.380Z

Updated: 2025-06-30T01:52:58.600Z

Reserved: 2025-06-11T22:14:52.625Z

Link: CVE-2025-6019

Vulnrichment

Updated: 2025-06-23T13:39:55.143Z

NVD

Status : Awaiting Analysis

Published: 2025-06-19T12:15:19.727

Modified: 2025-06-30T03:15:25.990

Link: CVE-2025-6019

Redhat

Severity : Important

Publid Date: 2025-06-17T00:00:00Z

Links: CVE-2025-6019 - Bugzilla

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object