CVE-2025-6019

Name	CVE-2025-6019
Description	A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4221-1, DSA-5943-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libblockdev (PTS)	bullseye	2.25-2	vulnerable
	bullseye (security)	2.25-2+deb11u1	fixed
	bookworm, bookworm (security)	2.28-2+deb12u1	fixed
	trixie	3.3.0-2.1	fixed
	forky, sid	3.3.1-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
libblockdev	source	bullseye	2.25-2+deb11u1	DLA-4221-1
libblockdev	source	bookworm	2.28-2+deb12u1	DSA-5943-1
libblockdev	source	(unstable)	3.3.0-2.1

Notes

https://www.openwall.com/lists/oss-security/2025/06/17/4
https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
Fixed by: https://github.com/storaged-project/libblockdev/commit/46b54414f66e965e3c37f8f51e621f96258ae22e (3.3.1)
As hardening measure udisks2 (in unstable since 2.10.1-12.1)
will enforce that private mounts are mounted with 'nodev,nosuid'.
https://github.com/storaged-project/udisks/commit/5e7277debea926370e587408517560afe87d28c9