Security Vulnerabilities 
malware linux
malware linux IronWorm steals credentials and uses them to spread beyond the original victim, turning developer access into a supply chain risk. . A new campaign targeting npm has evolved past simple credential theft. Researchers identified IronWorm, a self-spreading threat. It harvests high-value Linux development secrets—SSH keys, cloud tokens, package publishing credentials. One compromised workstation becomes a launchpad for downstream supply chain attacks. This is not a get-in-and-get-out operation....
Jun 08, 2026
Network Securitysystem security Linux network
system security Linux network The romanticized image of the digital nomad – a laptop on a sun-drenched balcony – rarely accounts for the actual friction of maintaining a professional development environment on the move. . The friction is amplified with Linux. We are looking for a setup that respects our kernel configurations, handles volatile network handovers, and maintains a strict security posture without the hand-holding of a consumer-grade OS – so, put simply, more than just a laptop and a sunny deck. The hardware is...
May 26, 2026
Server Securityopen-source Linux administration
open-source Linux administration Cron has existed in Unix and Linux environments for decades, handling backups, cleanup scripts, patching jobs, log rotation, monitoring tasks, and other maintenance work that administrators do not want to run manually. Most Linux servers rely on it constantly, which is exactly why attackers continue abusing it for persistence after a system has already been compromised. . Persistence through cron is not complicated. Attackers do not need a rootkit or advanced malware framework to maintain...
May 25, 2026
Vendors/Productssecurity breach linux
security breach linux A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation. . The breach matters because...
May 21, 2026
Security Trends access control multi-tenant
access control multi-tenant Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. . But cloud isolation isn't as ironclad as it looks on the diagram. If you...
May 21, 2026
Refine news
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found -3 articles for you...
210
security advisoryprivilege escalationlinuxLinux Kernel Vulnerabilities Exploited in 2025: CISA KEV Insights
It wasn’t easy to be on an admin or cybersecurity team in 2025. . During the first quarter alone, cybersecurity researchers have observed 159 CVEs being exploited in the wild. Several of these attacks targeted Linux hosts, focusing on kernel-level flaws and device-driver validation issues that often enabled local privilege escalation or information disclosure. Below, we discuss Linux kernel vulnerabilities that have been actively exploited and added to the CISA Known Exploited Vulnerabilities (KEV) Catalog this year, totaling seven. 1. CVE-2021-22555: Heap Out-Of-Bounds Write in Netfilter CVE-2021-22555 is a vulnerability in the Linux kernel that allows local users to gain root access. The culprit is the nftables component of the netfilter subsystem — the networking-related part of the Linux kernel that manages packet filtering and NAT (network address translation). In nftables, there’s an nft_set_elem_init() function that deals with netlink messages. By sending specially crafted netlink attributes, an unprivileged local user can cause a heap out-of-bounds write, which means manipulating kernel memory and gaining full system control and the ability to run arbitrary code as a result. Since nftables is the one component responsible for network control in most modern Linux distributions, CVE-2021-22555 ended up affecting a very, very wide range of systems. Andy Nguyen from Google’s Project Zero discovered this issue back in May 2025. We list it here for three reasons. Number one: CISA added it to the Known Exploited Vulnerabilities (KEV) Catalog on October 6, 2025 (over four years after it was originally disclosed — but we all know how busy Linux admins are and the “don’t touch it while it works” mantra). Number two: the exploit works reliably across most systems using affected kernels. This makes it especially interesting for threat actors. And finally, it provides a practical way to escalate privileges at the kernel level. Nguyen presented publicproof-of-concept exploits, where he demonstrated that CVE-2021-22555 can achieve full root compromise from a regular user account in seconds on default configurations. The issue got a CVSS score of 8.3 (according to NVD) — it’s quite severe. If you’re running Linux kernels, versions from 2.6 to 5.12, then you likely have a problem with CVE-2021-22555. A patch was released in May 2025, and the advice to admins was (and still is, if not followed yet) to upgrade to the patched kernel version (which is 5.13 or higher) as soon as possible. If you’re not upgrading for some reason, you’ll need to disable unprivileged user namespaces. As we said, it’s on CISA’s list: malicious actors have used CVE-2021-22555 in Linux kernel exploit chains to escape from containers and escalate local privileges. Check out the LinuxSecurity advisory for CVE-2021-22555 for SUSE Linux. 2. CVE-2025-38352: TOCTOU Race in POSIX CPU Timers Leading to Use-After-Free CVE-2025-38352 is a race-condition vulnerability in the Linux kernel’s POSIX CPU timers code — specifically a TOCTOU (time-of-check/time-of-use) race between handle_posix_cpu_timers() and posix_cpu_timer_del(). If an existing non-autoreaping task has passed exit_notify() and handle_posix_cpu_timers() runs from an interrupt context, the task can be reaped by its parent or a debugger immediately after unlock_task_sighand(), leading to use-after-free or similar memory-corruption conditions in the kernel timer cleanup path. The upstream kernel maintainers fixed the flaw in mid-2025 with several stable backport commits that correct the race in the posix-cpu-timers logic. The bug carries a high-severity impact (CVSS v3.x ≈ 7.0–7.4 in public trackers) because a successful race can result in denial-of-service and potentially privilege escalation or arbitrary kernel memory corruption on affected systems. It affects Linux kernel trees used by many distributions and was subsequently observed in the Android kernel stack as well; vendors released kernelfixes and Google included the fix in its September 2025 Android security updates after reports of limited, targeted exploitation. Several vulnerability trackers and vendor advisories (including NVD, Tenable, and distro advisories) recommend applying the supplied kernel patches or vendor kernels as soon as possible. The issue is on our list because it has already been exploited in the wild: CISA has added it to the KEV Catalog on 25 September 2025. 3. CVE-2023-0386: Improper UID/Capability Preservation in OverlayFS CVE-2023-0386 is a high-severity local privilege-escalation bug in the Linux kernel’s OverlayFS subsystem that stems from improper ownership management when copying files between mounts. Specifically, an attacker can copy a “capable” (i.e., setuid/setcap) file from a nosuid mount into another mount in a way that bypasses expected ownership/capability checks, allowing unauthorized execution with elevated privileges. The flaw was patched upstream in early 2023 after public disclosure and technical writeups documented how the overlay copy path mishandles UID/ownership mapping. Because the bug enables local users to gain root privileges on affected kernels, it has a strong real-world impact for multi-user systems, containers, and cloud hosts that rely on OverlayFS; the public CVSS is around 7.8, and multiple proof-of-concept exploits were published shortly after disclosure. Vendors released kernel fixes and distro advisories (and subsequent vendors have continued to backport fixes). CISA added CVE-2023-0386 to the KEV catalog on July 8, 2025, after receiving evidence of attackers exploiting the vulnerability in the wild. The advice to admins is unsurprising: ensure that kernels are updated to include the vendor patch or apply vendor mitigations (restrict OverlayFS use or apply livepatches, so that you don’t need to reboot). If that advice wasn’t applied in a timely manner, the other advice is to hunt for signs of local compromise. Read the full LinuxSecurity advisoryfor CVE-2023-0386 . 4. CVE-2024-53150: ALSA USB-Audio Driver Out-of-Bounds Read When Parsing Clock Descriptors CVE-2024-53150 is a vulnerability in the ALSA USB audio driver, which is a part of the Linux kernel. The driver didn’t properly check the USB descriptor’s bLength parameter. Because of that, if an attacker created a device with a shorter bLength than expected, they could trigger an out-of-bounds read in kernel memory. Which, as we all know, means information disclosure. The vulnerability was disclosed in December 2024, and maintainers fixed it in the official kernel version, providing backports for stable releases. Soon afterward, Ubuntu, Red Hat, and other Linux distros published advisories and kernel updates to address the issue. Now, to the practical impact. If the attacker who has to have physical access to the system can craft a malicious USB-audio device, they can force the unpatched kernel to read from where it was never supposed to read, beyond the bounds of the buffer. This means leaking kernel memory (with all the sensitive data or cryptographic keys it contained). The issue has a high severity rating — in the NVD , it has CVSS 7.1, while Ubuntu, for example, gave it 7.8, nearing critical. The admins are expected to apply updates ASAP or block untrusted USB devices if updating is not an option for whatever reason. CISA has added CVE-2024-53150 to the KEV Catalog on April 9, 2025. Read more about CVE-2024-53150 on LinuxSecurity . 5. CVE-2024-53197: ALSA USB-audio bNumConfigurations Validation Failure — Out-of-Bounds Kernel Access CVE-2024-53197 is yet another ALSA audio-related vulnerability in the Linux kernel that CISA added to the KEV catalog on the very same day, even though it was originally published three days later than CVE-2024-53150. The root cause is roughly the same: it’s again the lack of validation by the driver. This time, using a malicious or malformed USB device, an attacker can supply an invalid bNumConfigurations value thatexceeds the initial value used when usb_get_configuration() allocates dev-> config. The driver failed to validate it before it accesses or destroys configurations, so the malicious device can cause out-of-bounds reads or writes (for instance, in usb_destroy_configuration). This leads to kernel memory corruption. Upstream kernel maintainers fixed the root cause with patches that validate the configuration count and adjust allocation/teardown logic. The good news is that exploitation requires either physical or emulated access to the system — the attacker needs to plug in a malicious USB audio device. The bad news is that exploiting it can result in crashes, information leakage, local privilege escalation, and arbitrary code execution (the latter two if chained with other exploits). CVE-2024-53197 has been exploited in the wild. CISA included it in its Known Exploited Vulnerabilities Catalog (on the 9th of April, as mentioned before). Multiple vendors (Ubuntu, Red Hat, SUSE, and others) released their advisories with patched kernels or backports. Administrators were urged to apply vendor kernel updates and avoid connecting untrusted USB devices until systems are patched (not that anybody ever recommended connecting untrusted USB devices anyway). CISA says to “discontinue use of the product if mitigations are unavailable” as if you can just do it on a whim. 6. CVE-2024-50302: Uninitialized HID Report Buffer Leads to Kernel Memory Leak CVE-2024-50302 is a Linux kernel vulnerability in the HID core that stems from using an uninitialized “report” buffer: the kernel did not zero-initialize the buffer on allocation, so specially crafted HID reports (for example, from a malicious or malformed USB HID device) could cause the kernel to return or otherwise expose residual kernel memory contents. Upstream maintainers corrected the code to zero-initialize the report buffer during allocation to remove the possibility of leaking kernel memory. The issue is treated as a high priority bymultiple vendors because it can lead to information disclosure and has low local attack complexity; vendor advisories and downstream patches (Ubuntu, Red Hat, etc.) have been released, and operators are advised to apply those kernel updates or vendor backports. Exploitation has been reported by both vendors and users, so CISA added CVE-2024-50302 to its KEV catalog on March 25, 2025. Admins should consider affected hosts to be exposed until patched. Also, it’s best to avoid connecting untrusted USB HID devices to sensitive systems until you remediate the issue. Read the full LinuxSecurity advisory for CVE-2024-50302 for SUSE Linux. 7. CVE-2024-53104: Out-of-Bounds Write in USB Video Class (uvcvideo) Driver CVE-2024-53104 is an out-of-bounds write vulnerability in the Linux kernel’s UVC (USB Video Class) uvcvideo driver. The problem was that the UVC_VS_UNDEFINED frames were skipped by the uvc_parse_format() function and not taken into account when computing the frames buffer size used by uvc_parse_streaming(). Take a malformed device that can supply such frames, and it can cause the driver to write past the end of the allocated buffer. Upstream kernel patches correct the parsing/size-calculation logic to ensure UVC_VS_UNDEFINED frames are handled (or ignored safely) and eliminate the out-of-bounds condition. Because the flaw is in a kernel driver that processes USB input, exploitation requires physical (or emulated/virtual) access to the host via a malicious or specially crafted UVC device (for example, a tampered webcam/BadUSB device). Out-of-bounds writes in kernel space cause the usual trouble: crashes and, in some exploit chains, local privilege escalation or arbitrary code execution. Sounds bad enough, so the issue has its well-deserved CVSS of 7.8 in the NVD . There was some evidence of attackers exploiting this vulnerability, which prompted CISA to add CVE-2024-53104 to its KEV catalog on February 5, 2025. Multiple vendors (including Ubuntu, Red Hat, and some others)published advisories and patched kernels. Administrators should, as usual, apply those vendor kernel updates or vendor-supplied backports and avoid connecting untrusted USB video devices until systems are patched. General Recommendations for Administrators Use both internal and external asset discovery to close blind spots. Use both internal and external asset discovery tools to create and continuously update an inventory of hosts, cloud instances, containers, and technologies. Map discovered assets to their owners, OS versions, kernel versions, and other tech so that you always have full visibility into the hardware and software that you’re using. That should allow you to prioritize remediation (whether because the system with a higher priority is internet-facing, business-critical, or for other reasons). Automate inventory → scanning → patching workflows. Where possible, link your asset inventory to vulnerability scanners and patch-management systems so fixes for a given CVE automatically generate tickets or remediation runs. Include kernel/package version checks in automation to detect vulnerable kernels quickly. Treat KEV-listed issues as top priority. If you get news about yet another KEV kernel vulnerability and you seem to have vulnerable systems, update them first. Or at least apply live patches from the vendors if you can’t immediately reboot the system. For critical systems, first test patches on a staging environment, then roll them out. A rollback plan is always nice to have, though. Harden USB/HID/device attack surface. A lot of kernel vulnerabilities seem to be connected with the use of USB HID devices. So, it makes sense to restrict use of removable USB devices on servers and critical endpoints (use USBGuard, implement udev rules, disable unused USB host controllers). In addition to that, policies about which devices are allowed and educating staff about the risks that untrusted devices may pose could help. For high-risk hosts, consider just disablinguser-accessible USB ports entirely. Reduce the attack surface wherever possible. If risky features (like unprivileged user namespaces) are not needed, disable or remove them. Lock down container runtimes by avoiding root access inside containers and sticking to least-privilege mounts. Remove any kernel modules you don’t actually use. And if it fits your setup, enable kernel lockdown and apply SELinux or AppArmor policies for extra protection. Apply layered detection & response. Monitor for kernel oops/panics, unexpected module loads, sudden setuid changes, and anomalous privilege escalations. Feed kernel logs and audit events into your SIEM and hunt for known exploitation indicators (unexpected usb enumeration, rapid process spawning from low-privilege accounts, abnormal syscall patterns). Takeaway For Admins 2025 So, 2025 doesn’t seem to be the year when Linux admins and security teams can relax and think that there are no problems with Linux kernels. Race-condition bugs and recurring driver and descriptor validation issues in sorts of components — ALSA audio, UVC video, HID device drivers, and more — were exploited in the wild. Despite their relatively high level of complexity (and some require physical access), they were exploited in the wild by malicious actors. Which reminds us yet again about the fact that kernel patches are just as important as they have been before. Perhaps, even more so now. To stay ahead, focus on three core actions: Prioritize patching — start with KEV-listed vulnerabilities and use vendor livepatching when reboots can’t happen right away. Eliminate blind spots — ensure full visibility into internal and external assets so you know which systems and kernels require updates. Lock down device-facing attack surfaces — monitor and harden areas like USB, HID, audio, and video interfaces, and actively hunt for signs of compromise. Sticking to these practices can help protect your organization from kernel-level attacks — orat the very least, reduce the time attackers have to take advantage of them. . Explore key Linux kernel vulnerabilities exploited in 2025 including critical insights and remediation advice.. Linux kernel vulnerabilities privilege escalation CISA KEV Linux security vulnerabilities. . MaK Ulac
Oct 14, 2025
•
Security Vulnerabilities
83
security advisorycyber threatsapplication securityInsights from Black Hat Briefings on Emerging Device Security Trends
The disappearance of easy-to-find flaws in the major operating systems has pushed vulnerability researchers to branch out from finding security issues in core system software and instead concentrate on the device drivers and client-side agents present on all PCs, security experts said on Wednesday at the Black Hat Briefings. . The link for this article located at SecurityFocus.com is no longer available. . Security analysts are shifting focus from operating system vulnerabilities to problems in device drivers and client-side protections, reflecting a significant trend change. Application Security, Device Drivers, Cybersecurity Trends. . LinuxSecurity.com Team
Aug 14, 2006
•
Hacks/Cracks
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More