Skip to content

OSG-SEC-2025-09-04 HIGH linux-pam: Incomplete fix for CVE-2025-6020 (CVE-2025-8941)

Dear OSG Security Contacts,

A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020. Successful exploitation requires only the ability to create and manipulate filesystem paths in such directories, without the need for special capabilities or kernel-level vulnerabilities.

IMPACTED VERSIONS:

RHEL version 8 and 9 and others.

WHAT ARE THE VULNERABILITIES:

This vulnerability in pam_namespace is rated Important because it allows a local, unprivileged user to escalate privileges to root by exploiting symlink attacks or race conditions in polyinstantiated directories under their control. Successful exploitation requires only the ability to create and manipulate filesystem paths in such directories, without the need for special capabilities or kernel-level vulnerabilities. In multi-user environments—such as shared systems, terminal servers, or certain container deployments, an unprotected or misconfigured pam_namespace configuration can serve as a single point of compromise. Privilege escalation flaws of this nature may also be chained with other vulnerabilities to maintain persistence or evade detection, further increasing the overall impact.

Attack Preconditions:

Any valid, unprivileged user account. Ability to create/manipulate files in polyinstantiated directories (/tmp, /var/tmp, etc.).

WHAT YOU SHOULD DO:

Upgrade to secure packages as they become available. Interim mitigation: Disable pam_namespace.so in /etc/pam.d/systemd-user, /etc/pam.d/login, and /etc/pam.d/remote if not strictly needed. RHEL 7 is impacted, but no fix is available as RHEL 7 has reached End of Maintenance (EOM) support as of June 30, 2024. The fix for RHEL 7 is to upgrade to a supported OS version.

REFERENCES:

  • [1] https://access.redhat.com/errata/RHSA-2025:15099
  • [2] https://bugzilla.redhat.com/show_bug.cgi?id=2388220
  • [3] https://access.redhat.com/security/cve/cve-2025-8941
  • [4] https://nvd.nist.gov/vuln/detail/CVE-2025-8941
  • [5] https://security-tracker.debian.org/tracker/CVE-2025-8941
  • [6] https://errata.almalinux.org/
  • [7] https://errata.build.resf.org/

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team