Linux Kernel Vulnerabilities Exploited in 2025: CISA KEV Insights MaK Ulac 7 - 14 min read Oct 14, 2025 It wasn’t easy to be on an admin or cybersecurity team in 2025. During the first quarter alone, cybersecurity researchers have observed 159 CVEs being exploited in the wild. Several of these attacks targeted Linux hosts, focusing on kernel-level flaws and device-driver validation issues that often enabled local privilege escalation or information disclosure. Below, we discuss Linux kernel vulnerabilities that have been actively exploited and added to the CISA Known Exploited Vulnerabilities (KEV) Catalog this year, totaling seven. 1. CVE-2021-22555: Heap Out-Of-Bounds Write in Netfilter CVE-2021-22555 is a vulnerability in the Linux kernel that allows local users to gain root access. The culprit is the nftables component of the netfilter subsystem — the networking-related part of the Linux kernel that manages packet filtering and NAT (network address translation). In nftables, there’s an nft_set_elem_init() function that deals with netlink messages. By sending specially crafted netlink attributes, an unprivileged local user can cause a heap out-of-bounds write, which means manipulating kernel memory and gaining full system control and the ability to run arbitrary code as a result. Since nftables is the one component responsible for network control in most modern Linux distributions, CVE-2021-22555 ended up affecting a very, very wide range of systems. Andy Nguyen from Google’s Project Zero discovered this issue back in May 2025. We list it here for three reasons. Number one: CISA added it to the Known Exploited Vulnerabilities (KEV) Catalog on October 6, 2025 (over four years after it was originally disclosed — but we all know how busy Linux admins are and the “don’t touch it while it works” mantra). Number two: the exploit works reliably across most systems using affected kernels. This makes it especially interesting for threat actors. And finally, it provides a practical way to escalate privileges at the kernel level. Nguyen presented public proof-of-concept exploits, where he demonstrated that CVE-2021-22555 can achieve full root compromise from a regular user account in seconds on default configurations. The issue got a CVSS score of 8.3 (according to NVD) — it’s quite severe. If you’re running Linux kernels, versions from 2.6 to 5.12, then you likely have a problem with CVE-2021-22555. A patch was released in May 2025, and the advice to admins was (and still is, if not followed yet) to upgrade to the patched kernel version (which is 5.13 or higher) as soon as possible. If you’re not upgrading for some reason, you’ll need to disable unprivileged user namespaces. As we said, it’s on CISA’s list: malicious actors have used CVE-2021-22555 in Linux kernel exploit chains to escape from containers and escalate local privileges. Check out the LinuxSecurity advisory for CVE-2021-22555 for SUSE Linux. 2. CVE-2025-38352: TOCTOU Race in POSIX CPU Timers Leading to Use-After-Free CVE-2025-38352 is a race-condition vulnerability in the Linux kernel’s POSIX CPU timers code — specifically a TOCTOU (time-of-check/time-of-use) race between handle_posix_cpu_timers() and posix_cpu_timer_del(). If an existing non-autoreaping task has passed exit_notify() and handle_posix_cpu_timers() runs from an interrupt context, the task can be reaped by its parent or a debugger immediately after unlock_task_sighand(), leading to use-after-free or similar memory-corruption conditions in the kernel timer cleanup path. The upstream kernel maintainers fixed the flaw in mid-2025 with several stable backport commits that correct the race in the posix-cpu-timers logic. The bug carries a high-severity impact (CVSS v3.x ≈ 7.0–7.4 in public trackers) because a successful race can result in denial-of-service and potentially privilege escalation or arbitrary kernel memory corruption on affected systems. It affects Linux kernel trees used by many distributions and was subsequently observed in the Android kernel stack as well; vendors released kernel fixes and Google included the fix in its September 2025 Android security updates after reports of limited, targeted exploitation. Several vulnerability trackers and vendor advisories (including NVD, Tenable, and distro advisories) recommend applying the supplied kernel patches or vendor kernels as soon as possible. The issue is on our list because it has already been exploited in the wild: CISA has added it to the KEV Catalog on 25 September 2025. 3. CVE-2023-0386: Improper UID/Capability Preservation in OverlayFS CVE-2023-0386 is a high-severity local privilege-escalation bug in the Linux kernel’s OverlayFS subsystem that stems from improper ownership management when copying files between mounts. Specifically, an attacker can copy a “capable” (i.e., setuid/setcap) file from a nosuid mount into another mount in a way that bypasses expected ownership/capability checks, allowing unauthorized execution with elevated privileges. The flaw was patched upstream in early 2023 after public disclosure and technical writeups documented how the overlay copy path mishandles UID/ownership mapping. Because the bug enables local users to gain root privileges on affected kernels, it has a strong real-world impact for multi-user systems, containers, and cloud hosts that rely on OverlayFS; the public CVSS is around 7.8, and multiple proof-of-concept exploits were published shortly after disclosure. Vendors released kernel fixes and distro advisories (and subsequent vendors have continued to backport fixes). CISA added CVE-2023-0386 to the KEV catalog on July 8, 2025, after receiving evidence of attackers exploiting the vulnerability in the wild. The advice to admins is unsurprising: ensure that kernels are updated to include the vendor patch or apply vendor mitigations (restrict OverlayFS use or apply livepatches, so that you don’t need to reboot). If that advice wasn’t applied in a timely manner, the other advice is to hunt for signs of local compromise. Read the full LinuxSecurity advisory for CVE-2023-0386. 4. CVE-2024-53150: ALSA USB-Audio Driver Out-of-Bounds Read When Parsing Clock Descriptors CVE-2024-53150 is a vulnerability in the ALSA USB audio driver, which is a part of the Linux kernel. The driver didn’t properly check the USB descriptor’s bLength parameter. Because of that, if an attacker created a device with a shorter bLength than expected, they could trigger an out-of-bounds read in kernel memory. Which, as we all know, means information disclosure. The vulnerability was disclosed in December 2024, and maintainers fixed it in the official kernel version, providing backports for stable releases. Soon afterward, Ubuntu, Red Hat, and other Linux distros published advisories and kernel updates to address the issue. Now, to the practical impact. If the attacker who has to have physical access to the system can craft a malicious USB-audio device, they can force the unpatched kernel to read from where it was never supposed to read, beyond the bounds of the buffer. This means leaking kernel memory (with all the sensitive data or cryptographic keys it contained). The issue has a high severity rating — in the NVD, it has CVSS 7.1, while Ubuntu, for example, gave it 7.8, nearing critical. The admins are expected to apply updates ASAP or block untrusted USB devices if updating is not an option for whatever reason. CISA has added CVE-2024-53150 to the KEV Catalog on April 9, 2025. Read more about CVE-2024-53150 on LinuxSecurity. 5. CVE-2024-53197: ALSA USB-audio bNumConfigurations Validation Failure — Out-of-Bounds Kernel Access CVE-2024-53197 is yet another ALSA audio-related vulnerability in the Linux kernel that CISA added to the KEV catalog on the very same day, even though it was originally published three days later than CVE-2024-53150. The root cause is roughly the same: it’s again the lack of validation by the driver. This time, using a malicious or malformed USB device, an attacker can supply an invalid bNumConfigurations value that exceeds the initial value used when usb_get_configuration() allocates dev->config. The driver failed to validate it before it accesses or destroys configurations, so the malicious device can cause out-of-bounds reads or writes (for instance, in usb_destroy_configuration). This leads to kernel memory corruption. Upstream kernel maintainers fixed the root cause with patches that validate the configuration count and adjust allocation/teardown logic. The good news is that exploitation requires either physical or emulated access to the system — the attacker needs to plug in a malicious USB audio device. The bad news is that exploiting it can result in crashes, information leakage, local privilege escalation, and arbitrary code execution (the latter two if chained with other exploits). CVE-2024-53197 has been exploited in the wild. CISA included it in its Known Exploited Vulnerabilities Catalog (on the 9th of April, as mentioned before). Multiple vendors (Ubuntu, Red Hat, SUSE, and others) released their advisories with patched kernels or backports. Administrators were urged to apply vendor kernel updates and avoid connecting untrusted USB devices until systems are patched (not that anybody ever recommended connecting untrusted USB devices anyway). CISA says to “discontinue use of the product if mitigations are unavailable” as if you can just do it on a whim. 6. CVE-2024-50302: Uninitialized HID Report Buffer Leads to Kernel Memory Leak CVE-2024-50302 is a Linux kernel vulnerability in the HID core that stems from using an uninitialized “report” buffer: the kernel did not zero-initialize the buffer on allocation, so specially crafted HID reports (for example, from a malicious or malformed USB HID device) could cause the kernel to return or otherwise expose residual kernel memory contents. Upstream maintainers corrected the code to zero-initialize the report buffer during allocation to re