Cybersecurity researchers have recently identified two significant local privilege escalation (LPE) vulnerabilities that could potentially allow attackers to gain root privileges on systems running popular Linux distributions. These vulnerabilities, uncovered by the cybersecurity firm Qualys, pose a serious risk to users and organizations relying on these systems. The vulnerabilities are cataloged as follows:
CVE-2025-6018 - LPE from unprivileged to allow_active in SUSE 15's Pluggable Authentication Modules (PAM) CVE-2025-6019 - LPE from allow_active to root in libblockdev via the udisks daemonThese new local-to-root exploits significantly narrow the gap between a standard logged-in user and a complete system takeover. Saeed Abbasi, Senior Manager at Qualys Threat Research Unit (TRU), highlighted that by exploiting legitimate services such as udisks loop-mounts and PAM quirks, attackers can bypass the polkit's allow_active trust zone. This allows an attacker with access to any active GUI or SSH session to escalate their privileges to root in mere seconds.
Specifically, CVE-2025-6018 affects the PAM configuration in both openSUSE Leap 15 and SUSE Linux Enterprise 15. This vulnerability enables an unprivileged local attacker to elevate their privileges to the allow_active user level, thus allowing them to execute Polkit actions typically reserved for a physically present user. Conversely, CVE-2025-6019 impacts libblockdev and is exploitable through the udisks daemon, which is included by default in most Linux distributions. By chaining this with CVE-2025-6018, an allow_active user can gain full root privileges.
Qualys indicates that while CVE-2025-6019 nominally requires 'allow_active' privileges, the udisks daemon is shipped by default across nearly all Linux distributions. This means that virtually any system could be vulnerable, as Abbasi noted. Techniques to obtain 'allow_active' privileges, including the PAM issue disclosed here, further diminish the security barriers in place.
Once an attacker secures root privileges, they gain unrestricted access to the system, enabling them to manipulate security controls and implant backdoors for covert access. The implications of such vulnerabilities can be severe, emphasizing the need for immediate attention from system administrators.
Qualys has developed proof-of-concept (PoC) exploits to validate the existence of these vulnerabilities across various operating systems, including Ubuntu, Debian, Fedora, and openSUSE Leap 15. To mitigate the risks associated with these flaws, it is crucial for users to apply the patches provided by their respective Linux distribution vendors. As a temporary measure, users can modify the Polkit rule for org.freedesktop.udisks2.modify-device to require administrator authentication (auth_admin).
The disclosure of these vulnerabilities coincides with the announcement from maintainers of Linux PAM, who recently resolved a high-severity path traversal flaw identified as CVE-2025-6020 (CVSS score: 7.8). This flaw could also enable local users to escalate their privileges to root. The issue has been addressed in version 1.7.1 of the PAM module.
The pam_namespace module in linux-pam versions 1.7.0 and below may access user-controlled paths without appropriate protections, allowing local users to elevate their privileges to root through various symlink attacks and race conditions, according to Linux PAM maintainer Dmitry V. Levin. Systems employing pam_namespace to establish polyinstantiated directories are particularly vulnerable if the path to these directories is under user control.
To address the risks posed by CVE-2025-6020, users are advised to disable pam_namespace or ensure it does not operate on user-controlled paths. Staying informed and proactive about these vulnerabilities is essential for maintaining the security of Linux systems.
