CVE-2025-6020

Summary

A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

Affected Software

VendorProductVersion RangeStatus
0 < 1.7.1affected
Red HatRed Hat Enterprise Linux 100:1.6.1-8.el10 < *unaffected
Red HatRed Hat Enterprise Linux 10.0 Extended Update Support0:1.6.1-8.el10_0 < *unaffected
Red HatRed Hat Enterprise Linux 7 Extended Lifecycle Support0:1.1.8-23.el7_9.1 < *unaffected
Red HatRed Hat Enterprise Linux 80:1.3.1-37.el8_10 < *unaffected
Red HatRed Hat Enterprise Linux 80:1.3.1-38.el8_10 < *unaffected
Red HatRed Hat Enterprise Linux 8.2 Advanced Update Support0:1.3.1-8.el8_2.1 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support0:1.3.1-14.el8_4.1 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support0:1.3.1-16.el8_6.2 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Telecommunications Update Service0:1.3.1-16.el8_6.2 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Update Services for SAP Solutions0:1.3.1-16.el8_6.2 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Telecommunications Update Service0:1.3.1-26.el8_8.1 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Update Services for SAP Solutions0:1.3.1-26.el8_8.1 < *unaffected
Red HatRed Hat Enterprise Linux 90:1.5.1-26.el9_6 < *unaffected
Red HatRed Hat Enterprise Linux 90:1.5.1-25.el9_6 < *unaffected
Red HatRed Hat Enterprise Linux 90:1.5.1-26.el9_6 < *unaffected
Red HatRed Hat Enterprise Linux 90:1.5.1-25.el9_6 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Update Services for SAP Solutions0:1.5.1-9.el9_0.2 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Update Services for SAP Solutions0:1.5.1-15.el9_2.1 < *unaffected
Red HatRed Hat Enterprise Linux 9.4 Extended Update Support0:1.5.1-24.el9_4 < *unaffected
Red HatRed Hat Web Terminal 1.11 on RHEL 91.11-19 < *unaffected
Red HatRed Hat Web Terminal 1.11 on RHEL 91.11-8 < *unaffected
Red HatRed Hat Web Terminal 1.12 on RHEL 91.12-4 < *unaffected
Red HatRHEL-8 based Middleware Containers7.13.5-4.1752066672 < *unaffected
Red HatRHEL-8 based Middleware Containers7.13.5-4.1752065732 < *unaffected
Red HatRHEL-8 based Middleware Containers7.13.5-4.1752065732 < *unaffected
Red HatRHEL-8 based Middleware Containers7.13.5-3.1752065737 < *unaffected
Red HatRHEL-8 based Middleware Containers7.13.5-4.1752065731 < *unaffected
Red HatRHEL-8 based Middleware Containers7.13.5-25 < *unaffected
Red HatRHEL-8 based Middleware Containers7.13.5-4.1752065736 < *unaffected
Red HatRHEL-8 based Middleware Containers7.13.5-2.1752065733 < *unaffected
Red HatRHEL-8 based Middleware Containers7.13.5-4.1752065755 < *unaffected
Red HatRHOSS-1.36-RHEL-81.36.0-11 < *unaffected
Red HatRHOSS-1.36-RHEL-81.36.0-11 < *unaffected
Red HatRHOSS-1.36-RHEL-81.36.0-11 < *unaffected
Red HatRHOSS-1.36-RHEL-81.36.0-10 < *unaffected
Red HatRHOSS-1.36-RHEL-81.36.0-10 < *unaffected
Red HatRHOSS-1.36-RHEL-81.36.0-4 < *unaffected
Red HatRHOSS-1.36-RHEL-81.36.0-9 < *unaffected
Red HatRHOSS-1.36-RHEL-81.36.0-12 < *unaffected
Red HatRHOSS-1.36-RHEL-81.36.0-18 < *unaffected
Red HatRHOSS-1.36-RHEL-81.36.0-11 < *unaffected
Red HatRHOSS-1.36-RHEL-81.36.0-7 < *unaffected
Red Hatcert-manager operator for Red Hat OpenShift 1.16v1.16.5-1760515757 < *unaffected
Red HatOpenShift Compliance Operator 11.8.0 < *unaffected
Red HatRed Hat Discovery 22.0.0-1752592913 < *unaffected
Red HatRed Hat Discovery 22.2.1-1758555934 < *unaffected
Red HatRed Hat Insights proxy 1.51.5.7-1759331989 < *unaffected
Red HatRed Hat OpenShift distributed tracing 3.6.0rhosdt-3.6-1752046452 < *unaffected
Red HatRed Hat OpenShift distributed tracing 3.6.0rhosdt-3.6-1752046437 < *unaffected
Red HatRed Hat OpenShift distributed tracing 3.6.0rhosdt-3.6-1752046439 < *unaffected
Red HatRed Hat OpenShift distributed tracing 3.6.0rhosdt-3.6-1752070865 < *unaffected
Red HatRed Hat OpenShift distributed tracing 3.6.0rhosdt-3.6-1752070873 < *unaffected
Red HatRed Hat OpenShift distributed tracing 3.6.0rhosdt-3.6-1751993590 < *unaffected
Red HatRed Hat OpenShift distributed tracing 3.6.0rhosdt-3.6-1752070827 < *unaffected
Red HatRed Hat OpenShift distributed tracing 3.6.0rhosdt-3.6-1752070833 < *unaffected
Red HatRed Hat OpenShift distributed tracing 3.6.0rhosdt-3.6-1752070866 < *unaffected
Red HatRed Hat OpenShift sandboxed containers 1.11.10.2-1757422110 < *unaffected
Red HatRed Hat OpenShift sandboxed containers 1.11.10.2-1757421804 < *unaffected
Red HatRed Hat OpenShift sandboxed containers 1.11.10.2-1757421879 < *unaffected
Red HatRed Hat OpenShift sandboxed containers 1.11.10.2-1757422401 < *unaffected

Weaknesses

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Workarounds

Disable the pam_namespace module if it is not essential for your environment, or carefully review and configure it to avoid operating on any directories or paths that can be influenced or controlled by unprivileged users, such as user home directories or world-writable locations like /tmp.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

Additional References

References