The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new flaw to its Known Exploited Vulnerabilities (KEV) catalog, signaling in-the-wild abuse, and giving federal agencies a patching deadline.
The vulnerability is described as a “use-after-free” flaw, found in Linux kernels from 5.14.21 up to 6.6.14. Popular Linux distros such as Debian and Ubuntu seem to be particularly vulnerable.
A “use-after-free” vulnerability is a type of memory corruption bug that happens when a program continues to use a pointer after the memory it points to has been freed. This can lead to various unpredictable behaviors, including crashes, data corruption, and, more critically, security breaches such as arbitrary code execution.
Time to patch
In this particular scenario, threat actors could abuse the vulnerability to achieve local privilege escalation, giving administrator privileges to users with basic access.
The good news is that kernels version 6.4 and newer, with specific configurations (like CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y) don’t seem to be affected. Additionally, the exploit requires user namespaces and nf_tables to be enabled, which are default settings in many distributions.
The vulnerability has been assigned a CVSS score of 7.8, indicating high severity. However, patches for most distros were made available in February 2024, meaning that a quick and easy fix is available, and there is no need for complicated workarounds.
With the latest addition to the KEV catalog, federal agencies have until June 20 to apply the patch and secure their premises, or stop using vulnerable programs entirely.
While CISA usually warns government agencies exclusively, that doesn’t mean that organizations in the private sector should ignore the warning. Instead, all Linux users should make sure they avoid keeping vulnerable kernels running, since many threat actors won’t be particularly picky when it comes to their targets.