Cybersecurity researchers have uncovered two local privilege escalation (LPE) flaws that could be exploited to gain root privileges on machines running major Linux distributions.
The vulnerabilities, discovered by Qualys, are listed below –
- CVE-2025-6018 – LPE from unprivileged to allow_active in SUSE 15’s Pluggable Authentication Modules (PAM)
- CVE-2025-6019 – LPE from allow_active to root in libblockdev via the udisks daemon
“These modern ‘local-to-root’ exploits have collapsed the gap between an ordinary logged-in user and a full system takeover,” Saeed Abbasi, Senior Manager at Qualys Threat Research Unit (TRU), said.
“By chaining legitimate services such as udisks loop-mounts and PAM/environment quirks, attackers who own any active GUI or SSH session can vault across polkit’s allow_active trust zone and emerge as root in seconds.”
The cybersecurity company said CVE-2025-6018 is present in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15, enabling an unprivileged local attacker to elevate to the “allow_active” user and call Polkit actions that are otherwise reserved for a physically present user.
CVE-2025-6019, on the other hand, affects libblockdev and is exploitable via the udisks daemon included by default on most Linux distributions. It essentially permits an “allow_active” user to gain full root privileges by chaining it with CVE-2025-6018.
“Although it nominally requires ‘allow_active’ privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable,” Abbasi added. “Techniques to gain ‘allow_active,’ including the PAM issue disclosed here, further negate that barrier.”
Once root privileges are obtained, an attacker has carte blanche access to the system, allowing them use it as a springboard for broader post-compromise actions, such as altering security controls and implanting backdoors for covert access.
Qualys said it has developed proof-of-concept (PoC) exploits to confirm the presence of these vulnerabilities on various operating systems, including Ubuntu, Debian, Fedora, and openSUSE Leap 15.
To mitigate the risk posed by these flaws, it’s essential to apply patches provided by the Linux distribution vendors. As temporary workarounds, users can modify the Polkit rule for “org.freedesktop.udisks2.modify-device” to require administrator authentication (“auth_admin”).
Flaw Disclosed in Linux PAM
The disclosure comes as maintainers of Linux PAM resolved a high-severity path traversal flaw (CVE-2025-6020, CVSS score: 7.8) that could also allow a local user to escalate to root privileges. The issue has been fixed in version 1.7.1.
“The module pam_namespace in linux-pam <= 1.7.0 may access user-controlled paths without proper protections, which allows a local user to elevate their privileges to root via multiple symlink attacks and race conditions,” Linux PAM maintainer Dmitry V. Levin said.
Linux systems are vulnerable if they use pam_namespace to set up polyinstantiated directories for which the path to either the polyinstantiated directory or instance directory is under user-control. As workarounds for CVE-2025-6020, users can disable pam_namespace or ensure it does not operate on user-controlled paths.
ANSSI’s Olivier Bal-Petre, who reported the flaw to the maintainer on January 29, 2025, said users should also update their namespace.init script if they do not use the one provided by their distribution to ensure that the either of two paths are safe to operate on as root.
