CVE-2025-6019
Libblockdev: lpe from allow_active to root in libblockdev via udisks
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.
USN-7577-1 fixed a vulnerability in libblockdev. This update provides the corresponding update for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that libblockdev incorrectly handled mount options when resizing certain filesystems. A local attacker with an active session on the console can use this issue to escalate their privileges to root.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2025-06-11 CVE Reserved
- 2025-06-19 CVE Published
- 2025-06-25 EPSS Updated
- 2025-06-26 First Exploit
- 2025-06-30 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-250: Execution with Unnecessary Privileges
CAPEC
References (20)
| URL | Date | SRC |
|---|---|---|
| https://github.com/guinea-offensive-security/CVE-2025-6019 | 2025-06-28 | |
| https://github.com/And-oss/CVE-2025-6019-exploit | 2025-06-26 | |
| https://github.com/neko205-mx/CVE-2025-6019_Exploit | 2025-06-30 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2025-6019 | 2025-06-19 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2370051 | 2025-06-19 | |
| https://access.redhat.com/errata/RHSA-2025:9320 | 2025-06-30 | |
| https://access.redhat.com/errata/RHSA-2025:9321 | 2025-06-30 | |
| https://access.redhat.com/errata/RHSA-2025:9322 | 2025-06-30 | |
| https://access.redhat.com/errata/RHSA-2025:9323 | 2025-06-30 | |
| https://access.redhat.com/errata/RHSA-2025:9324 | 2025-06-30 | |
| https://access.redhat.com/errata/RHSA-2025:9325 | 2025-06-30 | |
| https://access.redhat.com/errata/RHSA-2025:9326 | 2025-06-30 | |
| https://access.redhat.com/errata/RHSA-2025:9327 | 2025-06-30 | |
| https://access.redhat.com/errata/RHSA-2025:9328 | 2025-06-30 | |
| https://access.redhat.com/errata/RHSA-2025:9878 | 2025-06-30 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Red Hat Search vendor "Red Hat" | Enterprise Linux Search vendor "Red Hat" for product "Enterprise Linux" | * | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | * | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | * | - |
Affected
| ||||||
| Slackware Search vendor "Slackware" | Slackware Linux Search vendor "Slackware" for product "Slackware Linux" | * | - |
Affected
| ||||||