vulnerability

Red Hat: CVE-2025-6019: libblockdev: LPE from allow_active to root in libblockdev via udisks (Multiple Advisories)

Try Surface Command
Back to search
Severity
7
CVSS
(AV:L/AC:M/Au:S/C:C/I:C/A:C)
Published
Jun 19, 2025
Added
Jun 26, 2025
Modified
Mar 27, 2026

Description

A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.

Solutions

redhat-upgrade-libblockdevredhat-upgrade-libblockdev-cryptoredhat-upgrade-libblockdev-crypto-debuginforedhat-upgrade-libblockdev-crypto-develredhat-upgrade-libblockdev-debuginforedhat-upgrade-libblockdev-debugsourceredhat-upgrade-libblockdev-develredhat-upgrade-libblockdev-dmredhat-upgrade-libblockdev-dm-debuginforedhat-upgrade-libblockdev-fsredhat-upgrade-libblockdev-fs-debuginforedhat-upgrade-libblockdev-fs-develredhat-upgrade-libblockdev-kbdredhat-upgrade-libblockdev-kbd-debuginforedhat-upgrade-libblockdev-loopredhat-upgrade-libblockdev-loop-debuginforedhat-upgrade-libblockdev-loop-develredhat-upgrade-libblockdev-lvmredhat-upgrade-libblockdev-lvm-dbusredhat-upgrade-libblockdev-lvm-dbus-debuginforedhat-upgrade-libblockdev-lvm-debuginforedhat-upgrade-libblockdev-lvm-develredhat-upgrade-libblockdev-mdraidredhat-upgrade-libblockdev-mdraid-debuginforedhat-upgrade-libblockdev-mdraid-develredhat-upgrade-libblockdev-mpathredhat-upgrade-libblockdev-mpath-debuginforedhat-upgrade-libblockdev-nvdimmredhat-upgrade-libblockdev-nvdimm-debuginforedhat-upgrade-libblockdev-nvmeredhat-upgrade-libblockdev-nvme-debuginforedhat-upgrade-libblockdev-partredhat-upgrade-libblockdev-part-debuginforedhat-upgrade-libblockdev-part-develredhat-upgrade-libblockdev-plugins-allredhat-upgrade-libblockdev-s390redhat-upgrade-libblockdev-s390-debuginforedhat-upgrade-libblockdev-swapredhat-upgrade-libblockdev-swap-debuginforedhat-upgrade-libblockdev-swap-develredhat-upgrade-libblockdev-toolsredhat-upgrade-libblockdev-tools-debuginforedhat-upgrade-libblockdev-utilsredhat-upgrade-libblockdev-utils-debuginforedhat-upgrade-libblockdev-utils-develredhat-upgrade-libblockdev-vdoredhat-upgrade-libblockdev-vdo-debuginforedhat-upgrade-libblockdev-vdo-develredhat-upgrade-python3-blockdev

References

Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report