Linux users received two important security notifications on Tuesday: a couple of new vulnerabilities can be chained for full root access, and CISA warned about the in-the-wild exploitation of an older flaw.
Cybersecurity firm Qualys has published details and proof-of-concept (PoC) code for two new Linux vulnerabilities that can be exploited for local privilege escalation.
One of the security holes, tracked as CVE-2025-6018, impacts the Pluggable Authentication Modules (PAM) framework on Linux and it allows an unprivileged local attacker to elevate permissions to ‘allow_active’ and invoke actions that are normally reserved for users who are physically present.
The second vulnerability, CVE-2025-6019, enables an ‘allow_active’ user to leverage the Udisks daemon (used for storage management) and Llibblockdev (a library for low-level block-device operations) to obtain full root access.
CVE-2025-6018 and CVE-2025-6019 can be chained to allow an unprivileged attacker to achieve full root access on the targeted system.
Qualys pointed out that the Udisks component is present by default on nearly all Linux distributions, which makes the vulnerabilities dangerous.
“Given the ubiquity of Udisks and the simplicity of the exploit, organizations must treat this as a critical, universal risk and deploy patches without delay,” Qualys warned.
Separately, CISA warned on Tuesday that a Linux kernel vulnerability, tracked as CVE-2023-0386, has been exploited in attacks.
The cybersecurity agency added the flaw, which impacts the Linux kernel’s OverlayFS subsystem and allows a local attacker to escalate privileges, to its Known Exploited Vulnerabilities (KEV) catalog.
There do not appear to be any public reports describing exploitation of CVE-2023-0386.
CVE-2023-0386 is one of two vulnerabilities disclosed in 2023 that are collectively tracked as GameOver(lay). Researchers warned at the time that the flaws are easy to exploit and they had impacted 40% of Ubuntu cloud workloads. PoC code and technical details were made available shortly after disclosure.
More than 20 Linux kernel vulnerabilities are currently in CISA’s KEV catalog, including several added last year.
There are few reports describing attacks involving the exploitation of Linux kernel flaws, but they are often leveraged in malware attacks.
Related: Enhanced Version of ‘BPFDoor’ Linux Backdoor Seen in the Wild
Related: New ‘Auto-Color’ Linux Malware Targets North America, Asia
Related: Stealthy ‘Perfctl’ Malware Infects Thousands of Linux Servers
