The US government warns of a critical security flaw in Linux and urges users to patch it immediately
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new flaw to its Known Exploited Vulnerabilities (KEV) catalog, flagging exploits in the wild and giving federal agencies a patch deadline.
The vulnerability is described as a use-after-free flaw, found in Linux kernels from 5.14.21 through 6.6.14. Popular Linux distributions such as Debian and Ubuntu appear to be particularly vulnerable.
A use-after-free vulnerability is a type of memory corruption bug that occurs when a program continues to use a pointer after the memory it points to has been freed. This can lead to various unpredictable behaviors, including crashes, data corruption and, most importantly, security breaches such as arbitrary code execution.
Time to patch
In this specific scenario, threat actors could exploit the vulnerability to achieve local escalation of privilege, granting users with basic access administrative privileges.
The good news is that kernels version 6.4 and newer, with specific configurations (such as CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y) do not appear to be affected. Additionally, the exploit requires user namespaces and nf_tables to be enabled, which are default settings in many distributions.
The vulnerability has been given a CVSS score of 7.8, indicating high severity. However, patches became available for most distributions in February 2024, meaning a quick and easy fix is available and no complicated workarounds are required.
With the latest addition to the KEV catalog, federal agencies have until June 20 to apply the patch and secure their buildings, or stop using vulnerable programs completely.
Although CISA typically only alerts government agencies, this does not mean that private sector organizations should ignore the alert. Instead, all Linux users should be careful not to keep vulnerable kernels running, as many threat actors won’t be particularly picky about their targets.