Yesterday, Qualys published details about a vulnerability discovered in the libblockdev package. Two vulnerabilities were announced, CVE-2025-6018 and CVE-2025-6019. AlmaLinux is not impacted by CVE-2025-6018, but we are impacted by CVE-2025-6019.
The second (CVE-2025-6019) affects libblockdev, is exploitable via the udisks daemon included by default on most Linux distributions, and allows an “allow_active” user to gain full root privileges. Although CVE-2025-6019 on its own requires existing allow_active context, chaining it with CVE-2025-6018 enables a purely unprivileged attacker to achieve full root access.
I had one question: is this data available in the AlmaLinux errata, or some other machine readable format? The blog post shows versions of these RPMs are patched, but I don’t see any information about it that, for example, a vulnerability scanner could read, meaning that for now images with these fixes will have false positives.
