A day after CISA confirmed that a Linux kernel vulnerability dating back to 2023 is being actively exploited in the wild, security firm Qualys has reported a pair of Linux vulnerabilities, saying one in particular, CVE-2025-6019, is a “critical and universal” risk in Ubuntu, Fedora, Debian, and openSUSE.

Qualys was able to chain the two (the first was allocated CVE-2025-6018)  to pivot from unprivileged local user to root in SUSE Linux Enterprise 15. Whilst the CVE-2025-6018 local privilege escalation (LPE) bug doesn’t appear to work on other distros, there are other paths for attackers to explore here.

The “trivially exploitable” CVE-2025-6019 is a more particular concern, said Qualys in a technical write-up published on June 17. It affects the ubiquitous libblockdev C library and is exploitable via the udisks daemon that is included by default on most mainstream Linux distributions.

CVE-2025-6019 exploitation: In brief

Per the technical write-up, in short:

[Since 2017] the udisks daemon allows an "allow_active" user to resize their filesystems; and to resize an XFS filesystem (via the xfs_growfs program, which is installed by default on most Linux distributions) the udisks daemon calls the libblockdev, which temporarily mounts this XFS filesystem in /tmp (if it is not mounted elsewhere already) but *without* the nosuid and nodev flags.

Consequently, an "allow_active" attacker can simply set up a loop device that is backed by an arbitrary XFS image (which contains a SUID-root shell), then request the udisks daemon to resize this XFS filesystem (which mounts it in /tmp *without* the nosuid and nodev flags), and finally execute their SUID-root shell (from their XFS filesystem in /tmp) and therefore obtain full root privileges.

The Stack has contacted those affected for a comment and further details on their distributions' patches. Red Hat’s bug note is here. Red Hat and SUSE appear to have pushed patches on June 9, according to Qualys’ timeline. 

An "allow_active" user (e.g., a physical user, or an attacker who hijacked the session of a physical user, or an attacker who first exploited a vulnerability such as CVE-2025-6018 from this advisory) can obtain the full privileges of the root user…  [udisks is] the component that bridges a session’s privileges to device-management routines, and a vulnerability here can give full system control – Qualys

Qualys’s Saeed Abbassi said in a separate blog: “These modern “local-to-root” exploits have collapsed the gap between an ordinary logged-in user and a full system takeover. By chaining legitimate services such as udisks loop-mounts and PAM/environment quirks, attackers who own any active GUI or SSH session can vault across polkit’s allow_active trust zone and emerge as root in seconds. Nothing exotic is required: each link is pre-installed on mainstream Linux distros and their server builds. 

Updated: Ubuntu's security team said it prepared patches for CVE-2025-6019 during the embargo period following Qualys’ responsible disclosure and added to The Stack: "This vulnerability has limited impact on Ubuntu, as it requires physical access in the default configuration. Additionally, it cannot be chained with CVE-2025-6018, because Ubuntu default installations are not affected by it. We have released guidance for both vulnerabilities in this blog post."

Support independent journalism. Gain access to gated stories. Join exclusive events. Subscribe today. For every 300 annual subscribers (£250) we promise to hire another reporter.

Join the community

The link has been copied!