Kernel News and Security Lapses, Patches

posted by Roy Schestowitz on Jun 19, 2025,
updated Jun 21, 2025

• University of Toronto ☛ A performance mystery with Linux WireGuard on 10G Ethernet

  As a followup on discovering that WireGuard can saturate a 1G Ethernet (on Linux), I set up WireGuard on some slower servers here that have 10G networking. This isn't an ideal test but it's more representative of what we would see with our actual fileservers, since I used spare fileserver hardware. What I got out of it was a performance and CPU usage mystery.

• Bleeping Computer ☛ New Linux udisks flaw lets attackers get root on major Linux distros

  The first flaw (tracked as CVE-2025-6018) was found in the configuration of the Pluggable Authentication Modules (PAM) framework on openSUSE Leap 15 and SUSE Linux Enterprise 15, allowing local attackers to gain the privileges of the "allow_active" user.

• Hacker News ☛ CISA Warns of Active Exploitation of Linux Kernel Privilege Escalation Vulnerability

  The vulnerability, CVE-2023-0386 (CVSS score: 7.8), is an improper ownership bug in the Linux kernel that could be exploited to escalate privileges on susceptible systems. It was patched in early 2023.

• Hot Hardware ☛ Major Linux Distros Are Exposed To A Root-Level Security Threat, Update ASAP

  Linux server administrators, it's time to get your patch on. The boffins at Qualys, a security firm well known for its excellent SSL configuration tester, found a pair of security vulnerabilities that combined can grant any unprivileged user instant root (administrator) access.

  The first vulnerability in this situation is the least impactful, but is key to the root-access combo. Security bulletin CVE-2025-6018 describes a misconfiguration in the default settings for the PAM (Pluggable Authentication Module) framework on openSUSE Leap 15 and SUSE Linux Enterprise 15. The issue revolves around the "allow_active" flag being erroneously set and allowing non-local unprivileged users to perform some elevated-privilege actions. In other words, just SSH into the machine, and you'll likely be able to mount/unmount volumes, shutdown and reboot the machine, etc.

• Help Net Security ☛ Chaining two LPEs to get “root”: Most Linux distros vulnerable (CVE-2025-6018, CVE-2025-6019)

  Qualys researchers have unearthed two local privilege escalation vulnerabilities (CVE-2025-6018, CVE-2025-6019) that can be exploited in tandem to achieve root access on most Linux distributions “with minimal effort.”

• Bleeping Computer ☛ CISA warns of attackers exploiting Linux flaw with PoC exploit

  CISA has warned U.S. federal agencies about attackers targeting a high-severity vulnerability in the Linux kernel's OverlayFS subsystem that allows them to gain root privileges.

  This local privilege escalation security flaw (CVE-2023-0386) is caused by a Linux kernel improper ownership management weakness and was patched in January 2023 and publicly disclosed two months later.

  Multiple proof-of-concept (PoC) exploits were also shared on GitHub starting in May 2023, making exploitation attempts easier to pull off and pushing the vulnerability to the top of Linux admins' patching priority lists.

• Security Affairs ☛ U.S. CISA adds Linux Kernel flaw to its Known Exploited Vulnerabilities catalog

  U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Linux Kernel vulnerability to its Known Exploited Vulnerabilities catalog.

Update

More on the same:

• New Linux Flaws Enable Full Root Access via PAM and Udisks Across Major Distributions

  Cybersecurity researchers have uncovered two local privilege escalation (LPE) flaws that could be exploited to gain root privileges on machines running major Linux distributions.

• Attackers exploit Linux vulnerability with PoC exploit

  CISA warns US federal agencies about attackers targeting a serious security flaw in the OverlayFS submodule of the Linux kernel. This vulnerability allows attackers to gain root privileges.

• How CVE-2025-6018 and CVE-2025-6019 Enable Full Root Access on Linux

  Two newly uncovered Local Privilege Escalation (LPE) vulnerabilities, CVE-2025-6018 and CVE-2025-6019, could allow attackers to chain low-level access into full root control on several Linux distributions. These flaws affect openSUSE Leap 15, SUSE Linux Enterprise 15, and systems running the widely-deployed udisks daemon.

• New Linux bug a “critical and universal” risk? [Ed: Hype! Needs existing access to the machine.]

  A day after CISA confirmed that a Linux kernel vulnerability dating back to 2023 is being actively exploited in the wild, security firm Qualys has reported a pair of Linux vulnerabilities, saying one in particular, CVE-2025-6019, is a “critical and universal” risk in Ubuntu, Fedora, Debian, and openSUSE.

• CISA Flags CVE-2023-0386 as Actively Exploited Linux Kernel Privilege Escalation Threat

  The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about the active exploitation of a critical Linux kernel vulnerability, officially listed as CVE-2023-0386.

  The vulnerability, which carries a CVSS score of 7.8, is categorized as a Linux Kernel Privilege Escalation flaw. It stems from improper ownership management within the Linux kernel’s OverlayFS subsystem. If exploited successfully, attackers can escalate privileges on affected systems, gain unauthorized access, and potentially execute arbitrary code with elevated rights.

A day later:

• Linux flaws chain allows Root access across major distributions

  Researchers discovered two local privilege escalation flaws that could let attackers gain root access on systems running major Linux distributions.

  Qualys researchers discovered two local privilege escalation (LPE) vulnerabilities, an attacker can exploit them to gain root privileges on machines running major Linux distributions.