libblockdev: Local Privilege Escalation in libblockdev via Polkit/udisks allow_active (CVE-2025-6019) #shorts

Summary

In today’s episode we look at CVE-2025-6019, a local privilege escalation vulnerability in libblockdev that affects most major Linux distributions. Discovered and published in June 2025, this flaw allows an unprivileged, physically present user to escalate to full root privileges by abusing the way libblockdev interacts with the udisks daemon and Polkit’s allow_active setting. We’ll also touch on how this vulnerability can be chained with CVE-2025-6018 to create a powerful attack vector.

Product details

CVE-2025-6019 impacts libblockdev libraries on multiple Red Hat Enterprise Linux versions, including RHEL 7, 8, 9, and 10. The vulnerability stems from the default Polkit policy that grants active session users permission to perform certain actions via udisks. When a user has an allow_active session, they can request filesystem operations without additional authentication.

Vulnerability type summary

This is classified as an Execution with Unnecessary Privileges flaw, specifically a Local Privilege Escalation (LPE). The root cause lies in excessive trust in user-provided filesystem images combined with insufficient mount security flags, which together enable an attacker to execute code as root.

Details of the vulnerability

Under normal operation, udisks mounts user-supplied filesystem images with restrictive flags such as nosuid and nodev to prevent escalation. However, an attacker can craft a malicious XFS image containing a SUID-root shell. By invoking a resize operation through libblockdev and udisks—granted by Polkit’s allow_active rule—the attacker forces the mount without the security flags. The malicious filesystem is then mounted with full root privileges, allowing execution of the SUID-root shell. Moreover, security researchers at Qualys have shown that CVE-2025-6019 can be chained with CVE-2025-6018, another recent LPE, to create a seamless path to root on most Linux distributions.

Conclusion

CVE-2025-6019 underscores the importance of strict mount policies and cautious Polkit configurations. Administrators should apply the latest patches for libblockdev and udisks immediately and review Polkit rules to limit allow_active permissions. If you’re running RHEL 7, 8, 9 or 10, ensure your systems are updated. Given the ability to chain this flaw with CVE-2025-6018, timely mitigation is critical to maintaining system integrity.

This chain involves the following actors

• Local Attacker: Unprivileged user with an active Polkit session

This following systems are involved

• libblockdev (Library for block device management): Client interface to the disk management daemon
• udisksd (Disk management daemon): Processes mount and resize requests
• PolicyKit (Authorization framework): Determines which users can perform which actions

Attack entry point

• Polkit allow_active setting: Allows physically present users to perform certain udisks actions without additional credentials
• Crafted XFS image: Filesystem image embedding a SUID-root shell

Remediation actions

Exploitation actions

• https://access.redhat.com/security/cve/CVE-2025-6019
• https://bugzilla.redhat.com/show_bug.cgi?id=2370051
• [2025-06-18] Qualys researchers discovered two LPEs that can be chained to gain root access on most Linux distros.
• [2025-06-19] CVE-2025-6019 vulnerability allows attackers to gain root privileges in most Linux distributions.
• [2025-06-19] Two new Linux vulnerabilities, CVE-2025-6018 and CVE-2025-6019, can be chained to gain root access, adding to the cybersecurity challenges faced by teams this month.