The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding actively exploited privilege escalation vulnerabilities in the Linux kernel. These critical flaws, including CVE-2024-53104 and CVE-2023-0386, allow attackers to gain root access, posing significant risks to systems worldwide. Immediate patching is strongly advised for all affected Linux distributions.

CISA's Urgent Alert

CISA has added multiple Linux kernel vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild. This includes CVE-2024-53104, a privilege escalation flaw in the Kernel's USB Video Class driver, and CVE-2023-0386, an improper ownership bug in the OverlayFS subsystem.

• Federal Civilian Executive Branch (FCEB) agencies are mandated to patch these vulnerabilities by specific deadlines, with CISA urging private organizations to follow suit.

Understanding the Vulnerabilities

CVE-2024-53104: USB Video Class Driver Flaw

This vulnerability is a privilege escalation security flaw in the Linux Kernel's USB Video Class driver. An authenticated local attacker can exploit it to elevate privileges with low complexity. The issue stems from improper parsing of frames, leading to miscalculation of the frame buffer size and potential arbitrary code execution or denial-of-service attacks.

CVE-2023-0386: OverlayFS Improper Ownership

This flaw is an improper ownership management vulnerability within the OverlayFS subsystem. It allows local users to escalate privileges and potentially gain root-level access. The vulnerability occurs when a user copies a file with special capabilities from a mount into another mount, due to the kernel's failure to properly clear and bits during the copy-up operation.

• A proof-of-concept exploit for CVE-2023-0386 demonstrates its ease of exploitation, particularly in containerized, virtualized, or multi-user Linux environments.

Broader Impact: CVE-2025-6018 and CVE-2025-6019

Beyond the CISA-listed vulnerabilities, other critical Linux privilege escalation flaws have been identified:

These interconnected flaws can lead to full root access on major Linux distributions, highlighting the widespread nature of the threat.

Mitigation and Recommendations

Organizations must implement immediate countermeasures to prevent exploitation:

1. Apply Vendor Patches: Prioritize and apply all available patches for affected Linux kernel versions and related components.

2. Review CISA's KEV Catalog: Regularly consult the KEV catalog and address identified vulnerabilities promptly.

3. Modify Polkit Rules: For vulnerabilities like CVE-2025-6019, modify polkit rules for the org.freedesktop.udisks2.modify-device action, changing allow_active to auth_admin to require administrator authentication.

4. Discontinue Vulnerable Products: If no mitigation is available, discontinue the use of vulnerable products.

Given the active exploitation and the potential for severe impact, immediate action is crucial to secure Linux environments against these critical privilege escalation flaws.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• U.S. CISA adds Linux kernel flaw to its Known Exploited Vulnerabilities catalog, Security Affairs.

• CISA Warns of Active Exploitation of Linux Kernel Privilege Escalation Vulnerability, The Hacker News.

• Critical Linux Privilege Escalation Vulnerabilities Let Attackers Gain Full Root Access, CyberSecurityNews.

• Google fixed actively exploited kernel zero-day flaw, Security Affairs.

• CISA Alerts to Active Exploits of Linux Kernel Ownership Flaw, GBHackers News.