A privilege escalation vulnerability has been discovered in Below, a tool for recording and displaying system data on Linux systems. Tracked as CVE-2025-27591 with a CVSS score of 7.8, the flaw exists in versions prior to v0.9.0.
The vulnerability stems from an “Incorrect Permission Assignment for Critical Resource in below.” Specifically, the Below service creates a world-writable directory at /var/log/below. This insecure permission could allow local unprivileged users to escalate their privileges to root.
According to the report, the issue can be exploited through symlink attacks. An attacker could manipulate files, such as /etc/shadow, to gain root privileges. Matthias Gerstner, who reported the flaw, explained in a blog post: “Symlink Attack in /var/log/below/error_root.log.“
The Below systemd service runs with full root privileges and attempts to create a world-writable directory in /var/log/below. Even if the directory exists, the code ensures it has 0777 permissions.
The behavior of this code varies slightly across different Linux distributions due to differences in how the directory is packaged:
- In openSUSE Tumbleweed and Gentoo Linux, the directory is created with mode 01755, which results in the set_permissions() call running and setting the mode to 0777.
- In Fedora Linux, the directory is packaged with 01777 permissions, so the set_permissions() code does not run.
- In Arch Linux AUR, the log directory is not pre-created, so the set_permissions() code runs and creates the directory with mode 0777.
Below creates a log file at /var/log/below/error_root.log and assigns mode 0666 to it. A local unprivileged attacker can use a symlink attack to manipulate this and cause an arbitrary file in the system to obtain 0666 permissions. This could lead to a full local root exploit, for example, by pointing the symlink to /etc/shadow.
The blog also raises concerns about other permissions and file handling by Below.
- The world-writable permissions and world-readable permissions applied by Below under /var/log/below are considered strange.
- Below stores internal state data within the log directory at /var/log/below/store, which is world-readable and could lead to information leaks.
- An unprivileged user can pre-create this directory and control its contents, which could violate Below’s integrity.
The vulnerability is patched in Below version 0.9.0. Users of Below are advised to upgrade to version 0.9.0. As a workaround, users can manually change the permissions on /var/log/below.
