CVE-2025-6019

Summary

A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.

Affected Software

VendorProductVersion RangeStatus
0 < 3.3.1affected
Red HatRed Hat Enterprise Linux 100:3.2.0-4.el10_0 < *unaffected
Red HatRed Hat Enterprise Linux 7 Extended Lifecycle Support0:2.18-5.el7_9.1 < *unaffected
Red HatRed Hat Enterprise Linux 80:2.28-7.el8_10 < *unaffected
Red HatRed Hat Enterprise Linux 8.2 Advanced Update Support0:2.19-13.el8_2 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support0:2.24-6.el8_4 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support0:2.24-9.el8_6 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Telecommunications Update Service0:2.24-9.el8_6 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Update Services for SAP Solutions0:2.24-9.el8_6 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Update Services for SAP Solutions0:2.28-3.el8_8 < *unaffected
Red HatRed Hat Enterprise Linux 90:2.28-14.el9_6 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Update Services for SAP Solutions0:2.25-12.el9_0 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Update Services for SAP Solutions0:2.28-5.el9_2 < *unaffected
Red HatRed Hat Enterprise Linux 9.4 Extended Update Support0:2.28-11.el9_4 < *unaffected

Weaknesses

  • CWE-250: Execution with Unnecessary Privileges

Workarounds

Currently, no mitigation is available for this vulnerability.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References