CISA Issues Urgent Warning: Actively Exploited Linux Kernel Flaws Demand Immediate Patching
- John Jordan
- Jun 18
- 3 min read
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding actively exploited privilege escalation vulnerabilities in the Linux kernel. These critical flaws, including CVE-2024-53104 and CVE-2023-0386, allow attackers to gain root access, posing significant risks to systems worldwide. Immediate patching is strongly advised for all affected Linux distributions.

CISA's Urgent Alert
CISA has added multiple Linux kernel vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild. This includes CVE-2024-53104, a privilege escalation flaw in the Kernel's USB Video Class driver, and CVE-2023-0386, an improper ownership bug in the OverlayFS subsystem.
Federal Civilian Executive Branch (FCEB) agencies are mandated to patch these vulnerabilities by specific deadlines, with CISA urging private organizations to follow suit.
Understanding the Vulnerabilities
CVE-2024-53104: USB Video Class Driver Flaw
This vulnerability is a privilege escalation security flaw in the Linux Kernel's USB Video Class driver. An authenticated local attacker can exploit it to elevate privileges with low complexity. The issue stems from improper parsing of frames, leading to miscalculation of the frame buffer size and potential arbitrary code execution or denial-of-service attacks.
CVE-2023-0386: OverlayFS Improper Ownership
This flaw is an improper ownership management vulnerability within the OverlayFS subsystem. It allows local users to escalate privileges and potentially gain root-level access. The vulnerability occurs when a user copies a file with special capabilities from a mount into another mount, due to the kernel's failure to properly clear and bits during the copy-up operation.
A proof-of-concept exploit for CVE-2023-0386 demonstrates its ease of exploitation, particularly in containerized, virtualized, or multi-user Linux environments.
Broader Impact: CVE-2025-6018 and CVE-2025-6019
Beyond the CISA-listed vulnerabilities, other critical Linux privilege escalation flaws have been identified:
CVE | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
---|---|---|---|---|
CVE-2025-6018 | openSUSE Leap 15, SUSE Linux Enterprise 15 | Elevation to "allow_active" user | Local access (e.g., SSH) to vulnerable PAM configuration | 8.8 (High) |
CVE-2025-6019 | libblockdev package, udisks daemon (Ubuntu, Debian, Fedora, openSUSE Leap 15+) | Full root privileges | "allow_active" context (e.g., via CVE-2025-6018 or physical console access) | 7.8 (High) |
These interconnected flaws can lead to full root access on major Linux distributions, highlighting the widespread nature of the threat.
Mitigation and Recommendations
Organizations must implement immediate countermeasures to prevent exploitation:
Apply Vendor Patches: Prioritize and apply all available patches for affected Linux kernel versions and related components.
Review CISA's KEV Catalog: Regularly consult the KEV catalog and address identified vulnerabilities promptly.
Modify Polkit Rules: For vulnerabilities like CVE-2025-6019, modify polkit rules for the org.freedesktop.udisks2.modify-device action, changing allow_active to auth_admin to require administrator authentication.
Discontinue Vulnerable Products: If no mitigation is available, discontinue the use of vulnerable products.
Given the active exploitation and the potential for severe impact, immediate action is crucial to secure Linux environments against these critical privilege escalation flaws.
As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.
Sources
U.S. CISA adds Linux kernel flaw to its Known Exploited Vulnerabilities catalog, Security Affairs.
CISA Warns of Active Exploitation of Linux Kernel Privilege Escalation Vulnerability, The Hacker News.
Critical Linux Privilege Escalation Vulnerabilities Let Attackers Gain Full Root Access, CyberSecurityNews.
Google fixed actively exploited kernel zero-day flaw, Security Affairs.
CISA Alerts to Active Exploits of Linux Kernel Ownership Flaw, GBHackers News.