polkit: Out-of-bounds write in polkit XML policy handler (CVE-2025-7519) #shorts

Summary

Hello and welcome to the Security Insights podcast. Today we’re discussing CVE-2025-7519, a critical out-of-bounds write vulnerability in polkit’s XML policy file handler. This flaw can lead to application crashes or even arbitrary code execution when a specially crafted XML policy with at least 32 nested elements is processed. Exploitation requires a high-privilege account to install the malicious policy file, but once in place, it poses a serious risk to affected systems.

Product details

Polkit is a system service widely used in Linux distributions to control and delegate system-level privileges. The vulnerable code resides in polkit versions up to 0.126. Affected platforms include Red Hat Enterprise Linux 6, 7, 8, 9, and 10, Red Hat OpenShift Container Platform 4, as well as SUSE Linux Enterprise distributions that ship the same polkit build. Both Red Hat and SUSE have published advisories and issued patches to address the issue.

Vulnerability type summary

This is an out-of-bounds write vulnerability, a form of buffer overflow. In C-based XML processing code, insufficient bounds checking allows data to be written beyond the intended buffer boundary, which can corrupt memory or control execution flow.

Details of the vulnerability

When polkit parses an XML policy file containing 32 or more nested elements, a loop counter and buffer size calculation go out of sync. The code writes past the allocated buffer, triggering memory corruption. In testing, this leads to polkitd crashes and can be crafted for arbitrary code execution under the polkit service context. Because the malicious XML file must be placed in a policy directory, the attacker needs local root or equivalent high-privilege access, but once the file is in place any user-triggered policy check can activate the flaw.

Conclusion

To protect your systems, apply the polkit patches released by your vendor immediately. Red Hat users should install the latest errata, and SUSE customers should apply the advisory update. If patching is not possible right away, restrict write permissions on polkit policy directories or disable untrusted policy imports. Stay vigilant and monitor your logs for unexpected polkit crashes to ensure you’re not exposed to CVE-2025-7519.

This chain involves the following actors

• Privileged attacker: Places a malicious policy file and triggers the vulnerability
• System administrator: Applies vendor patches and monitors integrity of policy directories

This following systems are involved

• polkit daemon (Enforces system-wide privilege policies based on XML files): Parses policy files and makes authorization decisions
• Affected Linux hosts (General-purpose servers or containers running Red Hat Enterprise Linux, SUSE or OpenShift): Run the polkit daemon that is vulnerable to out-of-bounds writes

Attack entry point

• Local policy directory: The /etc/polkit-1/localauthority/50-local.d directory where custom XML policies are loaded

Remediation actions

Exploitation actions

• https://access.redhat.com/security/cve/CVE-2025-7519
• https://bugzilla.redhat.com/show_bug.cgi?id=2379675
• https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245
• https://github.com/polkit-org/polkit/pull/570
• [2025-07-12] A critical vulnerability in Polkit's XML Policy File Handler has been identified, affecting an unknown function and potentially leading to a buffer overflow.
• [2025-07-26] SUSE issues an advisory for an out-of-bounds risk vulnerability in polkit, identified as CVE-2025-7519.
• [2025-07-26] SUSE releases an important patch for polkit to address an out-of-bounds write risk.
• [2025-07-26] SUSE addresses an out-of-bounds access issue in polkit, identified as CVE-2025-7519.