Qualys revealed vulnerability (CVE-2025-6019) in the library libblockdev, which allows through manipulations with the background process udisks get Root rights in the system. The work of the prototype exploit is demonstrated in Ubuntu, Debian, Fedora, and OpenSUSE Leap 15.
The UDISKS process is used in almost all Linux distributions and provides the D-BUS interface to perform operations with drives, such as mounting and formatting. In fact, operations with drives are performed through the call of LibblockDev functions. Access to UDISKS by default is open only for users working in the context of “Allow_active”, i.e. having physical access to a computer and connected through a local console or launched a graphic session. Users connecting remotely, for example, by SSH, do not fall into this context and cannot directly operate vulnerability.
To bypass this restriction, you can use Truck, allowing to raise the level of authors Before “Allow_active” through manipulations with the launch of the Systemctl utility user service, which Polkitd will perceive as a sign of a local session. The essence of the method is that Polkitd determines the presence of physical access and assigns the level of “Allow_active” based on indirect features that can be influenced. The restrictions on the method are that for fraud Polkitd is required that the system of local user with physical access is already active in the system, i.e. The method is not suitable for servers.
The second method of obtaining the rights “Allow_active” is the exploitation of vulnerability (CVE-2025-6018) in PAM (Plugable Authentication Modules), which the researchers from Qualys revealed during the analysis of vulnerability in