CVE-2025-6019

NameCVE-2025-6019
DescriptionLPE from allow_active to root in libblockdev via udisks
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4221-1, DSA-5943-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libblockdev (PTS)bullseye2.25-2vulnerable
bullseye (security)2.25-2+deb11u1fixed
bookworm2.28-2vulnerable
bookworm (security)2.28-2+deb12u1fixed
trixie3.3.0-2vulnerable
sid3.3.0-2.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libblockdevsourcebullseye2.25-2+deb11u1DLA-4221-1
libblockdevsourcebookworm2.28-2+deb12u1DSA-5943-1
libblockdevsource(unstable)3.3.0-2.1

Notes

https://www.openwall.com/lists/oss-security/2025/06/17/4
https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
As hardening measure udisks2 (in unstable since 2.10.1-12.1)
will enforce that private mounts are mounted with 'nodev,nosuid'.
Search for package or bug name: Reporting problems