How a Simple Polkit Bug Lets Any User Gain Root on Linux (CVE‑2021‑3560)

GitHub recently disclosed a Linux vulnerability that can elevate an unprivileged local user to root with only a few simple commands. The exploit is demonstrated in the video below.

The flaw targets polkit , a system service installed by default on many Linux distributions and used via systemd. Because polkit is widely deployed, the vulnerability affects a large number of Linux releases.

GitHub Security Lab researcher Kevin Backhouse first discovered the issue, coordinated with the polkit maintainers and Red Hat’s security team, and the patch was released on June 3, 2021 under CVE‑2021‑3560.

The bug has existed for about seven years, introduced in commit bfa5036 and first appearing in polkit version 0.113. Many popular distributions did not ship the vulnerable version until recently.

Affected Distributions

Red Hat Enterprise Linux (RHEL)

Fedora

Debian

Ubuntu

Polkit manages system permissions and may prompt administrators for a password when higher privileges are requested. The CVE‑2021‑3560 vulnerability breaks this mechanism: an attacker can run commands such as bash, kill, and dbus‑send to gain root.

Kevin Backhouse notes that the exploit is easy to carry out, so users should update their Linux installations promptly. Any system running polkit 0.113 or newer—including RHEL 8 and Ubuntu 20.04—is at risk.

Reference: GitHub Blog – Privilege Escalation via Polkit