CVE-2025-6020: 
Rocky Linux vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2025-6020) was discovered in linux-pam, specifically affecting the pam_namespace module versions 1.7.0 and earlier. The vulnerability was discovered on January 29, 2025, and publicly disclosed on June 17, 2025 (OSS Security, NVD).

The vulnerability stems from the pam_namespace module's handling of user-controlled paths without proper protection mechanisms. The issue specifically involves the module accessing files and directories owned by unprivileged users during the polyinstantiation of directories. While the module implements security measures including file descriptor usage and bind mounting, these protections became ineffective for processes operating outside the mount namespace after Linux 3.18. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (OSS Security).

The vulnerability enables local users to elevate their privileges to root level through multiple symlink attacks and race conditions. This privilege escalation can occur when a user can launch a process outside of the mount namespace created by pamnamespace, allowing them to alter paths on which pamnamespace operates as root (OSS Security).

The vulnerability has been fixed in linux-pam version 1.7.1. The fix includes converting functions that operate on user-controlled paths to use file descriptors instead of absolute paths, maintaining the bind-mount protection as a defense-in-depth measure. Users are advised to update their namespace.init script if they use a custom version instead of the distribution-provided one. As a temporary workaround, users can disable pam_namespace or ensure it does not operate on user-controlled paths (OSS Security, Red Hat).