Name | CVE-2025-6019 |
Description | A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-4221-1, DSA-5943-1 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
libblockdev (PTS) | bullseye | 2.25-2 | vulnerable |
bullseye (security) | 2.25-2+deb11u1 | fixed | |
bookworm | 2.28-2 | vulnerable | |
bookworm (security) | 2.28-2+deb12u1 | fixed | |
sid, trixie | 3.3.0-2.1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
libblockdev | source | bullseye | 2.25-2+deb11u1 | DLA-4221-1 | ||
libblockdev | source | bookworm | 2.28-2+deb12u1 | DSA-5943-1 | ||
libblockdev | source | (unstable) | 3.3.0-2.1 |
https://www.openwall.com/lists/oss-security/2025/06/17/4
https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
Fixed by: https://github.com/storaged-project/libblockdev/commit/46b54414f66e965e3c37f8f51e621f96258ae22e (3.3.1)
As hardening measure udisks2 (in unstable since 2.10.1-12.1)
will enforce that private mounts are mounted with 'nodev,nosuid'.
https://github.com/storaged-project/udisks/commit/5e7277debea926370e587408517560afe87d28c9