Linux flaws chain allows Root access across major distributions

Researchers discovered two local privilege escalation flaws that could let attackers gain root access on systems running major Linux distributions.

Qualys researchers discovered two local privilege escalation (LPE) vulnerabilities, an attacker can exploit them to gain root privileges on machines running major Linux distributions.

The two vulnerabilities are:

• CVE-2025-6018: LPE from unprivileged to allow_active in *SUSE 15’s PAM
• CVE-2025-6019: LPE from allow_active to root in libblockdev via udisks

The first flaw (CVE-2025-6018) allows an unprivileged local user, such as someone connecting via SSH, to impersonate a physical user and gain access to actions typically reserved for someone sitting in front of the machine.

The second vulnerability (CVE-2025-6019), found in libblockdev and exploitable through the default udisks service, lets a physical or compromised user escalate their access to full root privileges. When combined, these two flaws allow an unprivileged attacker to gain full control over a system.

While attacks that start from any unprivileged user and lead to root access are generally more concerning, this chain of vulnerabilities is particularly dangerous because of how easily they can be linked together.

Researchers also pointed to similar recent high-profile exploits that relied on the same “allow_active” user loophole, and a recent blog post by Pumpkin Chang showing how attackers could abuse D-Bus and Polkit rules to impersonate physical users via SSH.

“Although CVE-2025-6019 on its own requires existing allow_active context, chaining it with CVE-2025-6018 enables a purely unprivileged attacker to achieve full root access.” reads the report published by Qualys. “This libblockdev/udisks flaw is extremely significant. Although it nominally requires “allow_active” privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable. Techniques to gain “allow_active”, including the PAM issue disclosed here, further negate that barrier. An attacker can chain these vulnerabilities for immediate root compromise with minimal effort.”

Qualys confirmed the flaws affect systems like Ubuntu, Debian, FQualys and also developed proof-of-concept exploits to demonstrate the vulnerabilities on these operating systems.

Users should apply security patches to address the flaws or, as a temporary fix, adjust Polkit rules to require admin authentication.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)