New critical Linux flaws let attackers escalate to root via PAM and udisks vulnerabilities

The Qualys Threat Research Unit has disclosed two linked local privilege escalation vulnerabilities which affect a broad range of Linux systems. The first, CVE-2025-6018, impacts openSUSE Leap 15 and SUSE Linux Enterprise 15. It centers on the PAM (Pluggable Authentication Modules) stack, which determines if users are considered “active” and eligible for privileged actions. This flaw lets unprivileged local attackers, including those connecting via SSH, escalate their status to allow_active and trigger actions normally restricted to physically present users through polkit.

The second vulnerability, CVE-2025-6019, resides in libblockdev and is exploitable through the udisks daemon. Udisks ships by default on most Linux distributions and provides a D-Bus interface for local storage management. While exploitation requires allow_active privileges, the ease of obtaining them through the PAM flaw means nearly any unprivileged attacker can combine both bugs for full root access.

These exploits remove the barriers between standard logins and root, allowing any attacker with an active graphical or SSH session to take over affected systems in seconds. Qualys emphasizes the criticality due to the ubiquity of udisks and the simplicity of the required techniques, advising organizations to patch without delay.