Login Sign Up

CVE-2025-6019

7.0 HIGH

📋 TL;DR

A Local Privilege Escalation vulnerability in libblockdev allows physically present users with 'allow_active' Polkit permissions to escalate to root privileges. Attackers can create malicious XFS images with SUID-root shells, trick udisks into resizing them, and gain complete system control. This affects systems using libblockdev with udisks and Polkit's allow_active configuration.

💻 Affected Systems

Products:
  • libblockdev
  • udisks
Versions: libblockdev versions before fixes in RHSA-2025:10796 and related advisories
Operating Systems: Linux distributions using libblockdev and udisks (particularly RHEL-based systems)
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Polkit's allow_active configuration and udisks interaction. Most vulnerable on systems where physically present users have allow_active permissions.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root access, allowing attacker to install persistent backdoors, steal all data, and disable security controls.

🟠

Likely Case

Local attacker gains root privileges on the target system, enabling privilege escalation from limited user to full administrative control.

🟢

If Mitigated

Limited impact if proper Polkit restrictions are in place and udisks security flags are enforced correctly.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring physical or local access to the system.
🏢 Internal Only: HIGH - Internal users with local access and allow_active permissions can exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access, Polkit allow_active permissions, and ability to create/mount filesystem images. Exploit involves multiple steps including creating malicious XFS image and triggering udisks resize operation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available via RHSA-2025:10796, RHSA-2025:9320, RHSA-2025:9321, RHSA-2025:9322, RHSA-2025:9323

Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:10796

Restart Required: No

Instructions:

1. Update libblockdev packages using your distribution's package manager. 2. For RHEL systems: 'sudo yum update libblockdev' or 'sudo dnf update libblockdev'. 3. Verify udisks is also updated if required by your distribution.

🔧 Temporary Workarounds

Restrict Polkit allow_active permissions

linux

Limit or remove allow_active permissions for physically present users to prevent exploitation.

sudo nano /etc/polkit-1/rules.d/50-default.rules
Add restrictions to allow_active rules

Disable automatic mounting of filesystem images

linux

Prevent udisks from automatically mounting user-provided filesystem images.

sudo systemctl mask udisks2.service
sudo systemctl stop udisks2.service

🧯 If You Can't Patch

  • Restrict physical access to systems and implement strict Polkit policy controls
  • Monitor for suspicious filesystem mounting operations and SUID file creation

🔍 How to Verify

Check if Vulnerable:

Check libblockdev version: 'rpm -q libblockdev' or 'dpkg -l | grep libblockdev'. Compare against patched versions in Red Hat advisories.

Check Version:

rpm -q libblockdev --queryformat '%{VERSION}-%{RELEASE}\n'

Verify Fix Applied:

Verify libblockdev package version matches patched version from vendor advisories and test that malicious XFS images cannot be mounted with SUID privileges.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected udisks resize operations
  • Mounting of user-created XFS images
  • Creation of SUID-root files in mounted filesystems

Network Indicators:

  • None - this is a local attack

SIEM Query:

source="audit.log" AND (event="MOUNT" OR event="RESIZE") AND image="*.xfs" OR process="udisksd" AND action="mount"

📊 Metadata

CVE ID: CVE-2025-6019
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-250
EPSS Score: 0.01% exploit probability (1th percentile)
Published: June 19, 2025
Last Updated: July 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6019, you might also want to check these:

CVE-2022-1517 10.0

CVE-2022-1517 is a critical vulnerability in LRM (likely a network management system) that allows un...

Same vulnerability type (CWE-250)
CVE-2025-32445 9.9

This CVE allows authenticated users with EventSource/Sensor CRUD permissions in Argo Events to escal...

Same vulnerability type (CWE-250)
CVE-2024-8767 9.9

This CVE allows attackers to access and manipulate sensitive data due to excessive privileges assign...

Same vulnerability type (CWE-250)