EUVD-2025-18685CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.
Analysis
Local privilege escalation vulnerability in libblockdev that allows an unprivileged user with Polkit 'allow_active' permissions to escalate to root privileges by crafting a malicious XFS filesystem image and exploiting udisks' mounting behavior. The vulnerability affects users with active session permissions on systems running vulnerable libblockdev versions, enabling complete system compromise through execution of SUID-root binaries embedded in specially crafted disk images. While carrying a moderate CVSS score of 7.0, the attack requires local access and user interaction with filesystem resizing operations, limiting real-world exploitation scope.
Technical Context
libblockdev is a system library providing block device manipulation functionality, commonly used by the udisks daemon for storage management operations. The vulnerability stems from improper security context handling when libblockdev interacts with udisks during filesystem resize operations. Normally, udisks mounts user-provided filesystem images with restrictive flags (nosuid, nodev) to prevent privilege escalation; however, during resize operations, this protection is bypassed. The root cause falls under CWE-250 (Execution with Unnecessary Privileges) - the library executes privileged operations without properly maintaining or validating security contexts. The attack leverages XFS filesystem features to embed SUID-root binaries that remain executable after mounting, exploiting the trusted relationship between libblockdev and the udisks daemon running with elevated privileges.
Affected Products
libblockdev (version range not specified in available data, but likely multiple versions prior to patched release); udisks/udisks2 daemon (integration point); Linux distributions packaging vulnerable libblockdev versions including but not limited to: Red Hat Enterprise Linux, Fedora, Debian, Ubuntu, and other distributions using libblockdev for storage management. Systems affected are those where: (1) libblockdev is installed and integrated with udisks; (2) Polkit is configured with 'allow_active' rules for block device operations; (3) Unprivileged users have session access and permission to resize filesystems. CPE pattern would be: cpe:2.3:a:libblockdev:libblockdev:*:*:*:*:*:*:*:* (specific version ranges require vendor advisories).
Remediation
Apply security patches from libblockdev maintainers (Red Hat, Linux Mint, distribution repositories) - patch details and specific version numbers require checking official vendor advisories and distribution security bulletins. Interim workarounds pending patching: (1) Restrict Polkit 'allow_active' permissions for block device operations to trusted administrators only; (2) Disable or restrict udisks daemon access for unprivileged users via Polkit policy modification; (3) Monitor and restrict filesystem resize operations to administrator-only workflows; (4) Implement mandatory access controls (SELinux, AppArmor) to prevent SUID execution from mounted user filesystems. Subscribe to security advisories from affected distribution vendors (Red Hat, Canonical, Debian) for patch release announcements and apply updates immediately upon availability.
Priority Score
Vendor Status
Ubuntu
Priority: High| Release | Status | Version |
|---|---|---|
| upstream | needs-triage | - |
| jammy | released | 2.26-1ubuntu0.1 |
| noble | released | 3.1.1-1ubuntu0.1 |
| oracular | released | 3.1.1-2ubuntu0.1 |
| plucky | released | 3.3.0-2ubuntu0.1 |
| bionic | released | 2.16-2ubuntu0.1~esm1 |
| focal | released | 2.23-2ubuntu3+esm1 |
| questing | not-affected | 3.3.0-2.1 |
| Release | Status | Version |
|---|---|---|
| trusty | needs-triage | - |
| xenial | needs-triage | - |
| upstream | needs-triage | - |
| jammy | released | 2.9.4-1ubuntu2.2 |
| noble | released | 2.10.1-6ubuntu1.2 |
| oracular | released | 2.10.1-9ubuntu3.2 |
| plucky | released | 2.10.1-11ubuntu2.2 |
| bionic | released | 2.7.6-3ubuntu0.2+esm1 |
| focal | released | 2.8.4-1ubuntu2+esm1 |
| questing | released | 2.10.1-12.1ubuntu1 |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 2.25-2+deb11u1 | - |
| bullseye (security) | fixed | 2.25-2+deb11u1 | - |
| bookworm, bookworm (security) | fixed | 2.28-2+deb12u1 | - |
| trixie | fixed | 3.3.0-2.1 | - |
| forky, sid | fixed | 3.4.0-2 | - |
| bookworm | fixed | 2.28-2+deb12u1 | - |
| (unstable) | fixed | 3.3.0-2.1 | - |
Share
External POC / Exploit Code
Leaving vuln.today