Discover Security Vulnerabilities News
Google Discloses CentOS Linux Kernel Vulnerabilities Following Failure to Issue Timely Fixes
Google Project Zero is a security team responsible for discovering security flaws in Google's own products as well as software developed by other vendors. Following discovery, the issues are privately reported to vendors and they are given 90 days to fix the reported problems before they are disclosed publicly. In some cases, a 14-day grace period is also given, depending on the complexity of the solution involved.
We have covered Google Project Zero's findings extensively in the past as it has reported vulnerabilities in software developed by Google, Microsoft, Qualcomm, Apple, and more. Now, the security team has reported several flaws in CentOS' kernel.
As detailed in the technical document here, Google Project Zero's security researcher Jann Horn learned that kernel fixes made to stable trees are not backported to many enterprise versions of Linux. To validate this hypothesis, Horn compared the CentOS Stream 9 kernel to the stable linux-5.15.y stable tree. For those unaware, CentOS is a Linux distro closest to Red Hat Enterprise Linux (RHEL) and its version 9 is based on the linux-5.14 release.