6.7 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): HIGH
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
Polkit: xml policy file with a large number of nested elements may lead to out-of-bounds write
A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly.
References
- https://access.redhat.com/security/cve/CVE-2025-7519 x_refsource_REDHAT vdb-entry
- RHBZ#2379675 issue-tracking x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-7519 x_refsource_REDHAT vdb-entry
- RHBZ#2379675 issue-tracking x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-7519 x_refsource_REDHAT vdb-entry
- RHBZ#2379675 issue-tracking x_refsource_REDHAT
- https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f…
- https://github.com/polkit-org/polkit/pull/570
- https://github.com/polkit-org/polkit/pull/570
- https://access.redhat.com/security/cve/CVE-2025-7519 x_refsource_REDHAT vdb-entry
- RHBZ#2379675 issue-tracking x_refsource_REDHAT
- https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f…
- RHBZ#2379675 issue-tracking x_refsource_REDHAT
- https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f…
- https://github.com/polkit-org/polkit/pull/570
- https://access.redhat.com/security/cve/CVE-2025-7519 x_refsource_REDHAT vdb-entry
- https://access.redhat.com/security/cve/CVE-2025-7519 x_refsource_REDHAT vdb-entry
- RHBZ#2379675 issue-tracking x_refsource_REDHAT
- https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f…
- https://github.com/polkit-org/polkit/pull/570
Affected products
- =<126
Matching in nixpkgs
pkgs.polkit
Toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes
-
nixos-unstable -
- nixpkgs-unstable 126
pkgs.cmd-polkit
Easily create polkit authentication agents by using commands
-
nixos-unstable -
- nixpkgs-unstable 0.3.0
pkgs.polkit_gnome
Dbus session bus service that is used to bring up authentication dialogs
-
nixos-unstable -
- nixpkgs-unstable 0.105
pkgs.hyprpolkitagent
Polkit authentication agent written in QT/QML
-
nixos-unstable -
- nixpkgs-unstable 0.1.3
pkgs.mate.mate-polkit
Integrates polkit authentication for MATE desktop
-
nixos-unstable -
- nixpkgs-unstable 1.28.1
pkgs.pcscliteWithPolkit
Middleware to access a smart card using SCard API (PC/SC)
-
nixos-unstable -
- nixpkgs-unstable 2.3.0
pkgs.libsForQt5.polkit-qt
Qt wrapper around PolKit
-
nixos-unstable -
- nixpkgs-unstable 1-0.114.0
pkgs.kdePackages.polkit-qt-1
Qt wrapper around Polkit-1 client libraries
-
nixos-unstable -
- nixpkgs-unstable 1-0.200.0
pkgs.plasma5Packages.polkit-qt
Qt wrapper around PolKit
-
nixos-unstable -
- nixpkgs-unstable 1-0.114.0
pkgs.lomiri.lomiri-polkit-agent
Policy kit agent for the Lomiri desktop
-
nixos-unstable -
- nixpkgs-unstable 0.3
pkgs.kdePackages.polkit-kde-agent-1
Daemon providing a Polkit authentication UI for Plasma
-
nixos-unstable -
- nixpkgs-unstable 1-6.4.5
pkgs.pantheon.pantheon-agent-polkit
Polkit Agent for the Pantheon Desktop
-
nixos-unstable -
- nixpkgs-unstable 8.0.1
Package maintainers
-
@Daru-san Daru <zadarumaka@proton.me>
-
@NotAShelf NotAShelf <raf@notashelf.dev>
-
@khaneliman Austin Horstman <khaneliman12@gmail.com>
-
@johnrtitor Masum Reza <masumrezarock100@gmail.com>
-
@donovanglover Donovan Glover
-
@fufexan Fufezan Mihai <fufexan@protonmail.com>
-
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
-
@ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru>
-
@ttuegel Thomas Tuegel <ttuegel@mailbox.org>
-
@LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev>
-
@mjm Matt Moriarity <matt@mattmoriarity.com>
-
@NickCao Nick Cao <nickcao@nichi.co>
-
@K900 Ilya K. <me@0upti.me>
-
@OPNA2608 Cosima Neidahl <opna2608@protonmail.com>
-
@johannesloetzsch Johannes Lötzsch <github@johannesloetzsch.de>
-
@romildo José Romildo Malaquias <malaquias@gmail.com>
-
@bobby285271 Bobby Rong <rjl931189261@126.com>
-
@davidak David Kleuker <post@davidak.de>
-
@anthonyroussel Anthony Roussel <anthony@roussel.dev>
-
@jtojnar Jan Tojnar <jtojnar@gmail.com>