Skip to main content

Polkit CVE-2025-6019

| EUVDEUVD-2025-18685 HIGH
Execution with Unnecessary Privileges (CWE-250)
2025-06-19 secalert@redhat.com
High
Disputed · 7.0 Vendor: redhat
Share

Severity by source

Sources disagree (Low–High)
Vendor (redhat) PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Ubuntu
HIGH
qualitative
SUSE
3.1 LOW
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.0 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 15, 2026 - 00:08 euvd
EUVD-2025-18685
Analysis Generated
Mar 15, 2026 - 00:08 vuln.today
CVE Published
Jun 19, 2025 - 12:15 nvd
HIGH 7.0

DescriptionCVE.org

A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.

AnalysisAI

Local privilege escalation vulnerability in libblockdev that allows an unprivileged user with Polkit 'allow_active' permissions to escalate to root privileges by crafting a malicious XFS filesystem image and exploiting udisks' mounting behavior. The vulnerability affects users with active session permissions on systems running vulnerable libblockdev versions, enabling complete system compromise through execution of SUID-root binaries embedded in specially crafted disk images. While carrying a moderate CVSS score of 7.0, the attack requires local access and user interaction with filesystem resizing operations, limiting real-world exploitation scope.

Technical ContextAI

libblockdev is a system library providing block device manipulation functionality, commonly used by the udisks daemon for storage management operations. The vulnerability stems from improper security context handling when libblockdev interacts with udisks during filesystem resize operations. Normally, udisks mounts user-provided filesystem images with restrictive flags (nosuid, nodev) to prevent privilege escalation; however, during resize operations, this protection is bypassed. The root cause falls under CWE-250 (Execution with Unnecessary Privileges) - the library executes privileged operations without properly maintaining or validating security contexts. The attack leverages XFS filesystem features to embed SUID-root binaries that remain executable after mounting, exploiting the trusted relationship between libblockdev and the udisks daemon running with elevated privileges.

RemediationAI

Apply security patches from libblockdev maintainers (Red Hat, Linux Mint, distribution repositories) - patch details and specific version numbers require checking official vendor advisories and distribution security bulletins. Interim workarounds pending patching: (1) Restrict Polkit 'allow_active' permissions for block device operations to trusted administrators only; (2) Disable or restrict udisks daemon access for unprivileged users via Polkit policy modification; (3) Monitor and restrict filesystem resize operations to administrator-only workflows; (4) Implement mandatory access controls (SELinux, AppArmor) to prevent SUID execution from mounted user filesystems. Subscribe to security advisories from affected distribution vendors (Red Hat, Canonical, Debian) for patch release announcements and apply updates immediately upon availability.

Vendor StatusVendor

Ubuntu

Priority: High
libblockdev
Release Status Version
upstream needs-triage -
jammy released 2.26-1ubuntu0.1
noble released 3.1.1-1ubuntu0.1
oracular released 3.1.1-2ubuntu0.1
plucky released 3.3.0-2ubuntu0.1
bionic released 2.16-2ubuntu0.1~esm1
focal released 2.23-2ubuntu3+esm1
questing not-affected 3.3.0-2.1
udisks2
Release Status Version
trusty needs-triage -
xenial needs-triage -
upstream needs-triage -
jammy released 2.9.4-1ubuntu2.2
noble released 2.10.1-6ubuntu1.2
oracular released 2.10.1-9ubuntu3.2
plucky released 2.10.1-11ubuntu2.2
bionic released 2.7.6-3ubuntu0.2+esm1
focal released 2.8.4-1ubuntu2+esm1
questing released 2.10.1-12.1ubuntu1

Debian

libblockdev
Release Status Fixed Version Urgency
bullseye fixed 2.25-2+deb11u1 -
bullseye (security) fixed 2.25-2+deb11u1 -
bookworm, bookworm (security) fixed 2.28-2+deb12u1 -
trixie fixed 3.3.0-2.1 -
forky, sid fixed 3.4.0-2 -
bookworm fixed 2.28-2+deb12u1 -
(unstable) fixed 3.3.0-2.1 -

SUSE

Severity: Low
Product Status
Container suse/sl-micro/6.0/toolbox:latest Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Affected
SUSE Enterprise Storage 7.1 Fixed
SUSE Liberty Linux 7 LTSS Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed

Share

CVE-2025-6019 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy