New Linux Bugs Give Attackers Instant Root – Patch Now

Security firm Qualys has revealed two local-privilege-escalation bugs that, when chained, let any logged-in user on most Linux distributions become root in seconds.
• CVE-2025-6018 sits in the PAM configuration shipped with openSUSE Leap 15 and SUSE Linux Enterprise 15, allowing a normal user to upgrade to the “allow_active” trust level and invoke privileged polkit actions.
CVE-2025-6019 lurks in libblockdev and can be reached via the ubiquitous udisks daemon. An attacker with “allow_active” rights can exploit it to gain full root access. Because udisks is enabled by default on Ubuntu, Debian, Fedora and many others, the combined flaw effectively hands root access to almost any local attacker. Patches are already rolling out; in the meantime admins can tighten the polkit rule for org.freedesktop.udisks2.modify-device or disable the affected components. A separate high-severity bug (CVE-2025-6020) in pam_namespace has also been fixed; users should upgrade to Linux-PAM 1.7.1 or disable the module.

Two newly disclosed flaws could let anyone with a shell on your Linux box become root almost instantly. Researchers at Qualys uncovered the issues, which affect most major distributions.
What went wrong?
• CVE-2025-6018 – a mis-configured PAM rule in openSUSE Leap 15 and SUSE Linux Enterprise 15 bumps an ordinary user up to the “allow_active” level used by polkit.
CVE-2025-6019 – a weakness in libblockdev, exposed through the udisks daemon that ships on nearly every desktop and server build, then elevates “allow_active” to full system root.

Any machine running udisks—Ubuntu, Debian, Fedora and more—is vulnerable once an attacker has a local session (GUI or SSH). Proof-of-concept exploits work across multiple distros.

How to stay safe
1. Apply your distro’s patches as soon as they appear.
2. As a temporary measure, change the polkit rule org.freedesktop.udisks2.modify-device to require admin authentication.
3. If you use pam_namespace, update to Linux-PAM 1.7.1 or disable the module to block the related CVE-2025-6020 path-traversal bug.
Left unpatched, the flaws hand attackers carte blanche: once root, they can disable security tools, install backdoors or pivot deeper into your network. Act today and keep your systems out of their hands.