CISA Warns of Linux Kernel Race Condition Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new high-severity vulnerability in the Linux kernel to its Known Exploited Vulnerabilities (KEV) catalog, signaling that it is being actively exploited in attacks.

The warning, issued on September 4, 2025, calls for urgent action from federal agencies and private sector organizations to mitigate the threat.

The vulnerability, tracked as CVE-2025-38352, is a Time-of-Check Time-of-Use (TOCTOU) race condition.

This type of flaw creates a small window of opportunity for an attacker to maliciously alter a system resource between the time the system checks for its security status and the time it actually uses that resource.

Linux Kernel Race Condition Vulnerability

A successful exploit could allow an attacker to gain elevated privileges, manipulate sensitive data, or cause a system to crash, leading to a high impact on confidentiality, integrity, and availability.

In response to confirmed “in-the-wild” exploitation, CISA’s addition to the KEV catalog triggers a binding operational directive for federal agencies.

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to apply vendor-provided mitigations or discontinue use of the product by the due date of September 25, 2025.

While the directive is mandatory for federal agencies, CISA strongly urges all organizations to prioritize patching this vulnerability due to the widespread use of the Linux kernel.

Linux serves as the foundation for a vast array of systems, including web servers, cloud infrastructure, Android devices, and Internet of Things (IoT) gadgets, making the potential attack surface enormous.

“A flaw in the Linux kernel is a foundational risk that can impact countless technologies across the globe,” a security analyst noted.

At present, it is unknown if this vulnerability is being used in specific ransomware campaigns. However, attackers often use such kernel-level exploits to gain deeper access and persistence within a network before deploying ransomware or exfiltrating data.

CISA recommends applying patches and mitigations from Linux distribution vendors as soon as they become available.

If mitigations are not available for a specific product, organizations should follow applicable guidance for cloud services or discontinue the product’s use to remove the threat.

System administrators are advised to check with their specific Linux distribution providers, such as Red Hat, Canonical (Ubuntu), and SUSE, for security updates and patching instructions.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.