Critical Linux Flaws (CVE-2025-6018 & CVE-2025-6019) Allow Unprivileged Users to Gain Root Access

Amid ongoing discussions surrounding the security of Linux systems, two critical vulnerabilities have emerged that allow a regular user to seize full control of the system. Both flaws—related to privilege escalation—were uncovered by researchers at Qualys and are tracked as CVE-2025-6018 and CVE-2025-6019. When exploited in tandem, they enable an ordinary user to ascend to superuser status, gaining unrestricted access to the root system.

CVE-2025-6018 resides within the PAM authentication mechanism of SUSE Linux Enterprise 15 and openSUSE Leap 15. This vulnerability permits an unauthorized user to escalate privileges to the “allow_active” level—a status that confers Polkit permissions typically reserved for physically present users. This loophole serves as the initial gateway to full system compromise.

CVE-2025-6019, on the other hand, was found in the libblockdev component and is exploited via the udisks daemon, which is pre-installed on nearly all mainstream Linux distributions. It allows users with “allow_active” privileges to further escalate to root-level access. When paired with the first flaw, this chain of exploitation becomes remarkably potent, swiftly bypassing two distinct layers of protection and granting complete control over the system.

According to Qualys, an attacker requires only an active session—whether through a graphical interface or SSH—to leverage these vulnerabilities and attain root privileges within seconds. This method of attack dismantles the traditional boundaries between standard users and administrators, effectively nullifying the principle of privilege separation. Once root access is obtained, the attacker gains full dominion over the system: altering security settings, installing stealth access tools, and pivoting across the network to compromise additional nodes.

Qualys has verified the efficacy of these vulnerabilities through proof-of-concept exploits across various systems, including Fedora, Debian, Ubuntu, and openSUSE. Experts emphasize that nearly all modern Linux distributions are at risk, given that udisks and Polkit constitute core elements of their infrastructure. To mitigate potential threats, immediate installation of the latest security patches is strongly advised. As a temporary countermeasure, it is recommended to modify the Polkit rule for the action org.freedesktop.udisks2.modify-device, requiring administrator authentication (auth_admin) to restrict automatic privilege escalation.

It is also worth recalling that a previously discovered kernel vulnerability—CVE-2023-0386—was recently added to the Known Exploited Vulnerabilities (KEV) catalog. Despite a patch having been issued in early 2023, this flaw has seen active exploitation in recent months. It undermines a critical Linux safeguard: namespaces, which are responsible for isolating user privileges and process domains. Due to improper implementation of overlay file systems, it becomes possible to move an executable object from one layer to another and execute it with administrative privileges. This is particularly alarming in multi-user or containerized environments.