How a Polkit Bug Lets Local Users Gain Root on Linux (CVE‑2021‑3560)

GitHub recently disclosed a Linux privilege‑escalation vulnerability that allows a local user with insufficient permissions to obtain root privileges using only a few simple commands.

The flaw exploits polkit , a system service installed by default on many Linux distributions and accessed through systemd , which means the issue impacts a wide range of Linux platforms.

The vulnerability, identified as CVE‑2021‑3560, was first discovered by GitHub Security Lab researcher Kevin Backhouse. After coordination with the polkit maintainers and Red Hat’s security team, a patch was released on 3 June 2021.

Although the bug has existed for about seven years—originating from commit bfa5036 and first appearing in polkit 0.113—most popular distributions did not ship the vulnerable version until recently.

Affected distributions include Red Hat Enterprise Linux (RHEL), Fedora, Debian and Ubuntu.

Polkit manages system permissions and may prompt administrators for a password when elevated rights are required. CVE‑2021‑3560 subverts this mechanism: an attacker can run commands such as bash, kill and dbus‑send to gain root.

The following diagram shows the five main processes involved after executing the dbus‑send command.

Kevin Backhouse warns that the exploit is easy to use, so users should promptly update their systems. Any Linux installation using polkit 0.113 or newer—including RHEL 8 and Ubuntu 20.04—is vulnerable.

Reference: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/#exploitation