| Package | libblockdev |
|---|---|
| Version | 2.20-7+deb10u2 (buster) |
| Related CVEs | CVE-2025-6019 |
The Qualys Threat Research Unit (TRU) discovered a local privilege escalation vulnerability in libblockdev, a library for manipulating block devices. An “allow_active” user can exploit this flaw via the udisks daemon to obtain the full privileges of the root user.
Details can be found in the Qualys advisory at https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
Along with the libblockdev update, updated udisks2 packages are released, to enforce that private mounts are mounted with ’nodev,nosuid'.
For Debian 10 buster, these problems have been fixed in version 2.20-7+deb10u2.
We recommend that you upgrade your libblockdev packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.