6 min read Linux kernel CVEs 2025: what security leaders need to know to prepare for 2026 January 5, 2026 Table of contents The 2025 kernel threat landscape Three incidents that defined the year "Flipping Pages": a decade-old bug hits ransomware operations "Attack of the Vsock": escaping the virtual machine Qilin ransomware's cross-platform pivot Why patching alone failed What proactive hardening changes Preparing for 2026 References Contributors Brian Dawson Subscribe to our newsletter Subscribe The first 16 days of 2025 delivered 134 new Linux kernel CVEs (Common Vulnerabilities and Exposures—the standard system for tracking security flaws). 1 By October, CISA had added seven kernel vulnerabilities to its Known Exploited Vulnerabilities catalog—each one actively used in attacks against enterprise infrastructure. 2 For security leaders, 2025 made one thing clear: the reactive security model is failing. This isn't a story about theoretical risks. Ransomware groups including Qilin, Kraken, and RansomHub weaponized kernel exploits to hit more than 700 organizations across 62 countries. 3 They targeted backup infrastructure, escaped container boundaries, and gained root access on systems that were waiting for patches that hadn't yet been deployed. Here's what happened, what it means for your infrastructure, and what the organizations that avoided the worst outcomes did differently. The 2025 kernel threat landscape The volume of kernel vulnerabilities in 2025 overwhelmed traditional security operations. After the Linux kernel team became a CVE Numbering Authority in 2024, disclosure rates accelerated dramatically. The 2024 total reached 3,529 kernel CVEs—a tenfold increase from prior years. 4 That pace continued into 2025. For security teams already stretched thin, this created an impossible triage problem. With 8-9 new kernel CVEs appearing daily, distinguishing critical threats from noise became a full-time job. Attackers exploited this confusion, knowing that even well-resourced organizations couldn't patch fast enough. CISA's KEV catalog additions tell the story of what attackers actually targeted: privilege escalation flaws like "Flipping Pages," container escapes through OverlayFS bugs, and VM breakout vulnerabilities like "Attack of the Vsock." The pattern was consistent—gain initial access through any means, then use a kernel exploit to escalate to root and own the system entirely. Three incidents that defined the year "Flipping Pages": a decade-old bug hits ransomware operations In October 2025, CISA confirmed that CVE-2024-1086—known in security circles as "Flipping Pages" 5 —was being actively exploited in ransomware campaigns. 6 The vulnerability, a use-after-free bug in the kernel's nf_tables component, had existed in Linux kernels for more than ten years before being discovered in January 2024. Ransomware operators including RansomHub and Akira used this exploit for post-compromise privilege escalation.6 The attack pattern was straightforward: gain initial access through stolen credentials or vulnerable services, then exploit CVE-2024-1086 to escalate from limited user to root. With root access, attackers disabled security tools, exfiltrated data, and deployed encryption payloads. he vulnerability affected virtually every Linux distribution. Patches were available within weeks of disclosure, but enterprise patch cycles of 30-60 days left millions of systems exposed during the critical window when exploit code was publicly available and actively weaponized. Behavioral detection at the kernel level would have caught these attacks regardless of patch status. When an exploit attempts to modify process credentials or escalate privileges through memory corruption, that behavior is detectable—even without knowing the specific CVE being exploited. This is the approach behind LKRG (Linux Kernel Runtime Guard), which ships standard in RLC-Hardened. Download the technical summary for details on how it works. "Attack of the Vsock": escaping the virtual machine In April 2025, security researchers disclosed CVE-2025-21756, dubbed "Attack of the Vsock." 7 This vulnerability in the Linux kernel's vsock subsystem allowed attackers inside a virtual machine to escape to the host system and gain root access. For organizations running multi-tenant cloud infrastructure or container platforms, this was a nightmare scenario. The vsock interface handles VM-to-host communication—a trust boundary that's supposed to prevent guests from affecting hosts. CVE-2025-21756 broke that boundary entirely. A working proof-of-concept exploit was published alongside the disclosure. The attack chain involved manipulating reference counters during transport reassignment, causing the kernel to free memory while it was still in use. From there, attackers could corrupt kernel memory and achieve arbitrary code execution with root privileges. This class of vulnerability—isolation boundary escapes—became a recurring theme in 2025. Container esc