Chaining two LPEs to get “root”: Most Linux distros vulnerable (CVE-2025-6018, CVE-2025-6019)

Qualys researchers have unearthed two local privilege escalation vulnerabilities (CVE-2025-6018, CVE-2025-6019) that can be exploited in tandem to achieve root access on most Linux distributions “with minimal effort.”

About the vulnerabilities (CVE-2025-6018, CVE-2025-6019)

CVE-2025-6018 affects the Pluggable Authentication Modules (PAM) configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15, and allows an
unprivileged local attacker – for example, an attacker who logs in via a remote SSH session – to gain the “allow_active” privileges of a physically present user.

(The PAM framework controls how users authenticate and start sessions on Linux, and the vulnerability is effectively a misconfiguration that treats *any* local login as if the user were actually at the console.)

Having “allow_active” privileges allows the attacker to perform actions necessary to exploit CVE-2025-6019, a vulnerability in libblockdev, to elevate privileges to root.

Once root access is achieved, the attacker can do much damage: switch off EDR agents, implant backdoors, change configurations, and so on. The compromised system can thus become a launchpad for wider organizational compromise.

Saeed Abbasi, Senior Manager, Product Management for Security Research at Qualys, noted that CVE-2025-6019 is exploitable via the udisks daemon, which is included by default on almost all Linux distributions, and the Qualys Threat Research Unit has developed proof-of-concept exploits to confirm these vulnerabilities are present and exploitable on Ubuntu, Debian, Fedora, and openSUSE Leap 15.

Technical details about the flaws and the PoCs have been made public. Patches have been privately provided to Linux distro developers last week.

“Deploy patches without delay”

“These modern ‘local-to-root’ exploits have collapsed the gap between an ordinary logged-in user and a full system takeover. By chaining legitimate services such as udisks loop-mounts and PAM/environment quirks, attackers who own any active GUI or SSH session can vault across polkit’s allow_active trust zone and emerge as root in seconds. Nothing exotic is required: each link is pre-installed on mainstream Linux distros and their server builds,” Abbasi noted.

CVE-2025-6018 also opens the door for attackers leveraging other recently discovered flaws that require “allow_active” user privileges, the company pointed out in the advisory.

Major Linux distributions have already started patching the two flaws, by adjusting rules and/or updating the libblockdev and udisks packages.

“The default polkit policy for the ‘org.freedesktop.udisks2.modify-device’ action may allow any active user to modify devices. To mitigate this, the policy should be changed to require administrator authentication for this action,” Abbasi explained.

“Given the ubiquity of udisks and the simplicity of the exploit, organizations must treat this as a critical, universal risk and deploy patches without delay.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!