CISA Warns of Linux Kernel Race Condition Vulnerability Exploited in Attacks

Cybersecurity

On Mon, Sep 4, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified a high-severity vulnerability in the Linux kernel, now included in its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, known as CVE-2025-38352, is actively exploited in attacks.

Technical Specifications

The vulnerability is classified as a Time-of-Check Time-of-Use (TOCTOU) race condition. This flaw allows attackers to alter a system resource between security status checks and actual usage, potentially leading to elevated privileges, data manipulation, or system crashes. The impact on confidentiality, integrity, and availability is significant.

Operational Impact

In response to the active exploitation, CISA’s inclusion of this vulnerability in the KEV catalog mandates action under Binding Operational Directive (BOD) 22-01. Federal Civilian Executive Branch (FCEB) agencies must apply vendor-provided mitigations or discontinue the product by Mon, Sep 25, 2025. Although mandatory for federal agencies, CISA advises all organizations to address this vulnerability promptly, given the widespread use of the Linux kernel across various systems such as web servers, cloud infrastructure, Android devices, and Internet of Things (IoT) gadgets.

Mitigation Recommendations

• Apply patches and mitigations from Linux distribution vendors as they become available.
• If mitigations are unavailable, follow applicable guidance for cloud services or discontinue the product’s use.
• System administrators should consult their Linux distribution providers, such as Red Hat, Canonical (Ubuntu), and SUSE, for security updates and patching instructions.