Unrated severityNVD Advisory· Published Jul 23, 2025· Updated Nov 6, 2025
Pam-config: lpe from unprivileged to allow_active in pam
CVE-2025-6018
Description
A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivileged local attacker (for example, a user logged in via SSH) to obtain the elevated privileges normally reserved for a physically present, "allow_active" user. The highest risk is that the attacker can then perform all allow_active yes Polkit actions, which are typically restricted to console users, potentially gaining unauthorized control over system configurations, services, or other sensitive operations.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- access.redhat.com/security/cve/CVE-2025-6018mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
- bugzilla.suse.com/show_bug.cgimitre
- cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txtmitre
News mentions
0No linked articles in our index yet.