Posted inHow To Install

New udisks Vulnerability Allows Local Users to Gain Root on Major Linux Distributions

A newly disclosed vulnerability chain affecting the Linux udisks service can allow unprivileged users to escalate privileges to root on many major Linux distributions. This comes as yet another reminder that local privilege escalation (LPE) flaws remain a critical security concern, especially when combined with misconfigurations or overly permissive policies. For related issues, see our articles on CISA’s alert about a Linux kernel LPE vulnerability, the risks of misconfigured FTP access, and the Pumabot SSH hijacking campaign.

CVE-2025-6018: Exploiting allow_active via PAM Misconfiguration

The first issue affects the PAM (Pluggable Authentication Modules) configuration on openSUSE Leap 15 and SUSE Linux Enterprise 15. Under certain conditions, a local user with GUI or SSH access can be granted the allow_active Polkit role, which is normally only available to physically-present users at the console. This happens due to a misconfigured PAM rule that does not properly restrict access.

CVE-2025-6019: Escalating to Root via udisks and libblockdev

Once a user obtains the allow_active role, they can exploit the second flaw in udisks (through libblockdev) to gain full root access. Udisks is a common Linux daemon responsible for managing storage devices, and it interfaces with Polkit for permission checks.

The attack works as follows:

  1. The attacker gains the allow_active role by triggering CVE-2025-6018.
  2. Using this role, they issue specific commands via udisks that are executed with root privileges without requiring further authentication.
  3. As a result, they can fully compromise the system and become root within seconds.

Affected Distributions

While the initial PAM misconfiguration primarily affects SUSE-based systems, the second vulnerability in udisks impacts a wide range of distributions, including:

  • Ubuntu
  • Debian
  • Fedora
  • openSUSE Leap 15

Since udisks is bundled by default in most major distros, this issue has a broad impact.

Recommendations

Apply patches immediately. Updates have been released or are being prepared by affected vendors. Users and administrators are advised to update their systems as soon as possible.

Temporary workaround: Until patches are applied, system administrators can modify the Polkit rule for org.freedesktop.udisks2.modify-device to require administrative authentication (auth_admin) instead of allow_active.

To do this, locate the relevant .rules file under /etc/polkit-1/rules.d/ and change any references from:

allow_active

To:

auth_admin

This will ensure that even active users must authenticate before sensitive udisks actions can be performed.

Final Thoughts

This vulnerability chain demonstrates how a seemingly minor local configuration issue, when combined with overly permissive defaults in a core system service, can lead to full system compromise.

If you’re running a Linux system that includes udisks (which most modern desktops do), you should:

  1. Patch immediately.
  2. Review Polkit rules.
  3. Monitor your logs for any suspicious use of udisks-related commands.

Security requires constant attention to both application-level flaws and underlying privilege management. Stay updated and review your system policies regularly to avoid unexpected privilege escalations.

You Might Also Be Interested In:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *