Severity by source
Sources disagree (Low–High)AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorVendor: redhat
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.
AnalysisAI
Local privilege escalation vulnerability in libblockdev that allows an unprivileged user with Polkit 'allow_active' permissions to escalate to root privileges by crafting a malicious XFS filesystem image and exploiting udisks' mounting behavior. The vulnerability affects users with active session permissions on systems running vulnerable libblockdev versions, enabling complete system compromise through execution of SUID-root binaries embedded in specially crafted disk images. While carrying a moderate CVSS score of 7.0, the attack requires local access and user interaction with filesystem resizing operations, limiting real-world exploitation scope.
Technical ContextAI
libblockdev is a system library providing block device manipulation functionality, commonly used by the udisks daemon for storage management operations. The vulnerability stems from improper security context handling when libblockdev interacts with udisks during filesystem resize operations. Normally, udisks mounts user-provided filesystem images with restrictive flags (nosuid, nodev) to prevent privilege escalation; however, during resize operations, this protection is bypassed. The root cause falls under CWE-250 (Execution with Unnecessary Privileges) - the library executes privileged operations without properly maintaining or validating security contexts. The attack leverages XFS filesystem features to embed SUID-root binaries that remain executable after mounting, exploiting the trusted relationship between libblockdev and the udisks daemon running with elevated privileges.
RemediationAI
Apply security patches from libblockdev maintainers (Red Hat, Linux Mint, distribution repositories) - patch details and specific version numbers require checking official vendor advisories and distribution security bulletins. Interim workarounds pending patching: (1) Restrict Polkit 'allow_active' permissions for block device operations to trusted administrators only; (2) Disable or restrict udisks daemon access for unprivileged users via Polkit policy modification; (3) Monitor and restrict filesystem resize operations to administrator-only workflows; (4) Implement mandatory access controls (SELinux, AppArmor) to prevent SUID execution from mounted user filesystems. Subscribe to security advisories from affected distribution vendors (Red Hat, Canonical, Debian) for patch release announcements and apply updates immediately upon availability.
Same weakness CWE-250 – Execution with Unnecessary Privileges
View allSame technique Privilege Escalation
View allVendor StatusVendor
Ubuntu
Priority: High| Release | Status | Version |
|---|---|---|
| upstream | needs-triage | - |
| jammy | released | 2.26-1ubuntu0.1 |
| noble | released | 3.1.1-1ubuntu0.1 |
| oracular | released | 3.1.1-2ubuntu0.1 |
| plucky | released | 3.3.0-2ubuntu0.1 |
| bionic | released | 2.16-2ubuntu0.1~esm1 |
| focal | released | 2.23-2ubuntu3+esm1 |
| questing | not-affected | 3.3.0-2.1 |
| Release | Status | Version |
|---|---|---|
| trusty | needs-triage | - |
| xenial | needs-triage | - |
| upstream | needs-triage | - |
| jammy | released | 2.9.4-1ubuntu2.2 |
| noble | released | 2.10.1-6ubuntu1.2 |
| oracular | released | 2.10.1-9ubuntu3.2 |
| plucky | released | 2.10.1-11ubuntu2.2 |
| bionic | released | 2.7.6-3ubuntu0.2+esm1 |
| focal | released | 2.8.4-1ubuntu2+esm1 |
| questing | released | 2.10.1-12.1ubuntu1 |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 2.25-2+deb11u1 | - |
| bullseye (security) | fixed | 2.25-2+deb11u1 | - |
| bookworm, bookworm (security) | fixed | 2.28-2+deb12u1 | - |
| trixie | fixed | 3.3.0-2.1 | - |
| forky, sid | fixed | 3.4.0-2 | - |
| bookworm | fixed | 2.28-2+deb12u1 | - |
| (unstable) | fixed | 3.3.0-2.1 | - |
SUSE
Severity: Low| Product | Status |
|---|---|
| Container suse/sl-micro/6.0/toolbox:latest Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE | Affected |
| SUSE Enterprise Storage 7.1 | Fixed |
| SUSE Liberty Linux 7 LTSS | Fixed |
| SUSE Liberty Linux 8 | Fixed |
| SUSE Liberty Linux 9 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Micro for Rancher 5.3 | Fixed |
| SUSE Linux Enterprise Micro for Rancher 5.4 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Retail Branch Server LTS 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE Enterprise Storage 7 | Fixed |
| SUSE Enterprise Storage 7.1 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP2 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP2 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP3 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP2 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP3 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP2 | Fixed |
| SUSE Linux Enterprise Server 15 SP2-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP3 | Fixed |
| SUSE Linux Enterprise Server 15 SP3-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Manager Proxy 4.1 | Fixed |
| SUSE Manager Proxy 4.2 | Fixed |
| SUSE Manager Retail Branch Server 4.1 | Fixed |
| SUSE Manager Retail Branch Server 4.2 | Fixed |
| SUSE Manager Server 4.1 | Fixed |
| SUSE Manager Server 4.2 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap Micro 5.3 | Fixed |
| openSUSE Leap Micro 5.4 | Fixed |
| openSUSE Leap Micro 5.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18685