---

CVE-2025-6020 - log back

CVE-2025-6020 edited at 19 Jun 2025 00:42:23

Description

+ The module pam_namespace in linux-pam <= 1.7.0 may access user-controlled paths without proper protections, which allows a local user to elevate their privileges to root via multiple symlink attacks and race conditions. - The module pam_namespace in linux-pam <= 1.7.0 may access user-controlled paths without proper protections, which allows - a local user to elevate their privileges to root via multiple symlink attacks and race conditions. Systems are vulnerable if they use pam_namespace to polyinstantiate a directory for which the path to the polyinstantiated directory is under user-control or the path to the instance directory is under user-control.

CVE-2025-6020 created at 19 Jun 2025 00:41:57
Severity	+ High
Remote	+ Local
Type	+ Arbitrary filesystem access
Description	+ The module pam_namespace in linux-pam <= 1.7.0 may access user-controlled paths without proper protections, which allows + a local user to elevate their privileges to root via multiple symlink attacks and race conditions. + + Systems are vulnerable if they use pam_namespace to polyinstantiate a directory for which the path to the polyinstantiated directory is under user-control or the path to the instance directory is under user-control.
References	+ https://github.com/linux-pam/linux-pam/security/advisories/GHSA-f9p8-gjr4-j9gx + https://github.com/linux-pam/linux-pam/releases/tag/v1.7.1
Notes