DEBIAN-CVE-2025-7519

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-7519

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-7519.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-7519

Upstream

CVE-2025-7519

Published

2025-07-14T14:15:25.593Z

Modified

2026-03-17T02:52:32.626310Z

Severity

6.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly.

References

https://security-tracker.debian.org/tracker/CVE-2025-7519

Affected packages

Debian:11 / policykit-1

Package

Name: policykit-1
Purl: pkg:deb/debian/policykit-1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.105-31

0.105-31+deb11u1

0.105-31.1~deb12u1

0.105-31.1

0.105-32

0.105-33

0.109-1

0.110-1

0.110-2

0.110-3

0.112-1

0.112-2

0.112-3

0.112-4

0.112-5

0.113-1

0.113-2

0.113-3

0.113-4

0.113-5

0.113-6

0.114-1

0.115-1

0.115-2

0.115-3

0.116-1

0.116-2

0.116-3

0.117-1

0.118-1

0.118-2

0.119-1

0.120-1

0.120-2

0.120-3

0.120-4

0.120-5

0.120-6

Other

121-1

121-2

122-1

122-2

122-3

122-4

123-1

123-2

123-3

124-1

124-2

124-3

125-1

125-2

126-1

126-2

127-1

127-2

121+compat0.*

121+compat0.1-1

121+compat0.1-2

121+compat0.1-3

121+compat0.1-4

121+compat0.1-5

121+compat0.1-6

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-7519.json"

Debian:12 / policykit-1

Package

Name: policykit-1
Purl: pkg:deb/debian/policykit-1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

Other

122-3

122-4

123-1

123-2

123-3

124-1

124-2

124-3

125-1

125-2

126-1

126-2

127-1

127-2

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-7519.json"

Debian:13 / policykit-1

Package

Name: policykit-1
Purl: pkg:deb/debian/policykit-1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

Other

126-2

127-1

127-2

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-7519.json"

Debian:14 / policykit-1

Package

Name: policykit-1
Purl: pkg:deb/debian/policykit-1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

127-1

Affected versions

Other

126-2

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-7519.json"