Yesterday, Qualys published details about a vulnerability discovered in the libblockdev package. Two vulnerabilities were announced, CVE-2025-6018 and CVE-2025-6019. AlmaLinux is not impacted by CVE-2025-6018, but we are impacted by CVE-2025-6019.
Without the impact of CVE-2025-6018 the vulnerability in libblockdev (CVE-2025-6019) is arguably less critical, but it is impactful nonetheless.
The second (CVE-2025-6019) affects libblockdev, is exploitable via the udisks daemon included by default on most Linux distributions, and allows an “allow_active” user to gain full root privileges. Although CVE-2025-6019 on its own requires existing allow_active context, chaining it with CVE-2025-6018 enables a purely unprivileged attacker to achieve full root access.
AlmaLinux 8, 9, 10, and Kitten 10 are all impacted by CVE-2025-6019. While the avenues for exploitation are limited without the impact of CVE-2025-6018, ALESCo has approved updating this ahead of our upstream given the potential severity if there are other, yet to be discovered avenues to perform the exploit.
More information:
- https://blog.qualys.com/vulnerabilities-threat-research/2025/06/17/qualys-tru-uncovers-chained-lpe-suse-15-pam-to-full-root-via-libblockdev-udisks
- https://www.openwall.com/lists/oss-security/2025/06/17/5
- https://www.cve.org/CVERecord?id=CVE-2025-6019
- https://access.redhat.com/security/cve/cve-2025-6019
Installing the patched versions of libblockdev on AlmaLinux
It only takes a few steps to install and test the patched version of libblockdev in the testing repo.
Install the testing repo (Skip this step on AlmaLinux Kitten)
sudo dnf install -y almalinux-release-testing && sudo dnf-config-manager --enable almalinux-testing
Then update libblockdev:
sudo dnf update libblockdev
Confirm you have the patched version of libblockdev
rpm -q libblockdev
You should see a version matching or higher than the ones below, depending on when you do the installation of the patches.
- AlmaLinux 8 -
libblockdev-2.28-6.el8.alma.1 - AlmaLinux 9 -
libblockdev-2.28-10.el9.alma.1 - AlmaLinux 10 -
libblockdev-3.2.0-3.el10_0.alma.1 - AlmaLinux Kitten 10 -
libblockdev-3.2.0-3.el10.alma.2
Note: We don’t recommend that you keep the testing repo enabled after you’ve updated libblockdev, unless you’ve done this on a truly non-production environment. If this is a production environment, you can disable the repo with this command (not applicable to AlmaLinux Kitten):
sudo dnf config-manager --disable almalinux-testing
If you encounter problems, please let us know as soon as you can, either in AlmaLinux chat, on bugs.almalinux.org, or by emailing packager@almalinux.org.
Thanks to our community
Security is a priority at AlmaLinux, and once again we’re patching something we know to be important to our community. This is part of the freedom that comes with being a community-powered Red Hat equivalent operating system. We appreciate the members of our community that reported their feelings about this and other updates, worked to fix the problems, and have ever participated in testing our security updates.
If you have any interest in helping us test updates like this in the future, join our chat, join our forums, and keep your eyes open! We’ll be looking for contributions to our OpenQA testing later this year, too!
