Critical Linux Vulnerabilities Allow Full Root Access Through PAM and Udisks in Major Distributions

Cybersecurity researchers have identified two significant local privilege escalation (LPE) vulnerabilities that could potentially allow unauthorized access to root privileges on major Linux distributions.

The vulnerabilities, discovered by Qualys, are detailed as follows:

– CVE-2025-6018 – This flaw enables unprivileged access to the “allow_active” state within the Pluggable Authentication Modules (PAM) configuration found in SUSE 15.
– CVE-2025-6019 – This vulnerability allows elevation from the “allow_active” state to root status through the libblockdev library, utilizing the udisks daemon.

Saeed Abbasi, Senior Manager at Qualys Threat Research Unit (TRU), commented on the severity of these exploits, stating, “These modern ‘local-to-root’ exploits have collapsed the gap between an ordinary logged-in user and a full system takeover.” By leveraging legitimate services like udisks alongside PAM quirks, attackers with access to any active GUI or SSH session can circumvent polkit’s permission boundaries and escalate privileges to root within moments.

CVE-2025-6018 specifically affects the PAM settings in openSUSE Leap 15 and SUSE Linux Enterprise 15, enabling a local, unprivileged user to escalate privileges to “allow_active” and execute Polkit actions reserved for physical users.

Conversely, CVE-2025-6019 impacts the libblockdev framework, making it exploitable through the udisks daemon, which is typically included by default in most Linux distributions. It effectively allows any “allow_active” user to achieve full root access by chaining with CVE-2025-6018.

Abbasi further noted, “Although it nominally requires ‘allowactive' privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable. Techniques to gain 'allowactive,’ including the PAM issue disclosed here, further negate that barrier.”

The consequences of obtaining root privileges are severe, granting an attacker unrestricted access to the system. This access could serve as a launching point for further malicious activities, including the modification of security measures and the insertion of backdoors for sustained unauthorized access.

Qualys has successfully developed proof-of-concept (PoC) exploits to validate the existence of these vulnerabilities across various operating systems, including Ubuntu, Debian, Fedora, and openSUSE Leap 15.

To mitigate these risks, it is essential for users to apply patches provided by their respective Linux distribution vendors. Additionally, as a temporary measure, users are advised to adjust the Polkit rule for “org.freedesktop.udisks2.modify-device” to necessitate administrator authentication (“auth_admin”).

In a related disclosure, Linux PAM maintainers have recently addressed a high-severity path traversal vulnerability (CVE-2025-6020, CVSS score: 7.8) that also poses a risk of local privilege escalation. This issue has been rectified in version 1.7.1.

The pamnamespace module is impacted in systems that utilize it for setting up polyinstantiated directories, especially when the path is subject to user control. As a workaround for CVE-2025-6020, users should consider disabling pamnamespace or ensuring its operation does not permit user-controlled paths.

Olivier Bal-Petre from ANSSI, who reported the flaw, emphasized the importance of users updating their namespace.init scripts if they do not utilize the distribution-provided version, to ensure both paths remain secure for root operations.