Linux kernel CVEs 2025: what security leaders need to know to prepare for 2026

The first 16 days of 2025 delivered 134 new Linux kernel CVEs (Common Vulnerabilities and Exposures—the standard system for tracking security flaws).¹ By October, CISA had added seven kernel vulnerabilities to its Known Exploited Vulnerabilities catalog—each one actively used in attacks against enterprise infrastructure.² For security leaders, 2025 made one thing clear: the reactive security model is failing.

This isn't a story about theoretical risks. Ransomware groups including Qilin, Kraken, and RansomHub weaponized kernel exploits to hit more than 700 organizations across 62 countries.³ They targeted backup infrastructure, escaped container boundaries, and gained root access on systems that were waiting for patches that hadn't yet been deployed.

Here's what happened, what it means for your infrastructure, and what the organizations that avoided the worst outcomes did differently.

The 2025 kernel threat landscape

The volume of kernel vulnerabilities in 2025 overwhelmed traditional security operations. After the Linux kernel team became a CVE Numbering Authority in 2024, disclosure rates accelerated dramatically. The 2024 total reached 3,529 kernel CVEs—a tenfold increase from prior years.⁴ That pace continued into 2025.

For security teams already stretched thin, this created an impossible triage problem. With 8-9 new kernel CVEs appearing daily, distinguishing critical threats from noise became a full-time job. Attackers exploited this confusion, knowing that even well-resourced organizations couldn't patch fast enough.

CISA's KEV catalog additions tell the story of what attackers actually targeted: privilege escalation flaws like "Flipping Pages," container escapes through OverlayFS bugs, and VM breakout vulnerabilities like "Attack of the Vsock." The pattern was consistent—gain initial access through any means, then use a kernel exploit to escalate to root and own the system entirely.

Three incidents that defined the year

"Flipping Pages": a decade-old bug hits ransomware operations

In October 2025, CISA confirmed that CVE-2024-1086—known in security circles as "Flipping Pages"⁵—was being actively exploited in ransomware campaigns.⁶ The vulnerability, a use-after-free bug in the kernel's nf_tables component, had existed in Linux kernels for more than ten years before being discovered in January 2024.

Ransomware operators including RansomHub and Akira used this exploit for post-compromise privilege escalation.6 The attack pattern was straightforward: gain initial access through stolen credentials or vulnerable services, then exploit CVE-2024-1086 to escalate from limited user to root. With root access, attackers disabled security tools, exfiltrated data, and deployed encryption payloads.

he vulnerability affected virtually every Linux distribution. Patches were available within weeks of disclosure, but enterprise patch cycles of 30-60 days left millions of systems exposed during the critical window when exploit code was publicly available and actively weaponized.

Behavioral detection at the kernel level would have caught these attacks regardless of patch status. When an exploit attempts to modify process credentials or escalate privileges through memory corruption, that behavior is detectable—even without knowing the specific CVE being exploited. This is the approach behind LKRG (Linux Kernel Runtime Guard), which ships standard in RLC-Hardened. Download the technical summary for details on how it works.

"Attack of the Vsock": escaping the virtual machine

In April 2025, security researchers disclosed CVE-2025-21756, dubbed "Attack of the Vsock."⁷ This vulnerability in the Linux kernel's vsock subsystem allowed attackers inside a virtual machine to escape to the host system and gain root access.

For organizations running multi-tenant cloud infrastructure or container platforms, this was a nightmare scenario. The vsock interface handles VM-to-host communication—a trust boundary that's supposed to prevent guests from affecting hosts. CVE-2025-21756 broke that boundary entirely.

A working proof-of-concept exploit was published alongside the disclosure. The attack chain involved manipulating reference counters during transport reassignment, causing the kernel to free memory while it was still in use. From there, attackers could corrupt kernel memory and achieve arbitrary code execution with root privileges.

This class of vulnerability—isolation boundary escapes—became a recurring theme in 2025. Container escapes, VM breakouts, and sandbox bypasses all target the same architectural assumption: that privilege boundaries enforced at the kernel level will hold. Runtime kernel integrity monitoring detects when those boundaries are violated, regardless of which specific vulnerability is being exploited.

Qilin ransomware's cross-platform pivot

The Qilin ransomware group (also known as Agenda) demonstrated how Linux kernel exploitation fits into modern ransomware operations. Since January 2025, Qilin has affected more than 700 victims across 62 countries, with concentrations in manufacturing, technology, financial services, and healthcare.³

What made Qilin notable was its cross-platform approach. Attackers deployed Linux ransomware binaries on Windows hosts using legitimate remote management tools, bypassing Windows-centric security controls entirely. They specifically targeted Veeam backup infrastructure using credential extraction tools, eliminating recovery options before deploying encryption payloads.⁸

The group combined multiple techniques: BYOVD (Bring Your Own Vulnerable Driver) attacks to disable endpoint security, SOCKS proxies hidden in directories associated with trusted enterprise software, and systematic credential harvesting across backup databases. By the time encryption began, victims had no clean backups and no functioning security tools.

Defense-in-depth would have disrupted this attack chain at multiple points. A pre-hardened OS configuration reduces the attack surface available for initial exploitation. Runtime kernel protection detects privilege escalation and security tool tampering. Hardened system packages limit credential harvesting opportunities. No single control stops every attack, but layered protection forces attackers to succeed at every step—and most campaigns fail when that bar is raised. How do these layers work together in practice? The RLC-Hardened technical summary breaks it down.

Why patching alone failed

The consistent theme across 2025's kernel incidents is the gap between patch availability and patch deployment. CVE-2021-22555—a netfilter privilege escalation bug that's been weaponized for years—was added to CISA's KEV catalog in October 2025, more than four years after initial disclosure.²

This isn't negligence. Enterprise patch cycles exist because untested kernel updates can cause production outages. Change windows are limited. Dependencies must be validated. The "don't touch it while it works" philosophy exists because the cost of unplanned downtime is real and measurable.

But attackers operate on a different timeline. When a kernel vulnerability is disclosed with working exploit code, weaponization follows within days or weeks. The 30-60 day enterprise patch cycle creates a window where systems are known-vulnerable and exploit code is publicly available.

Proactive protection addresses this gap directly. Behavioral detection doesn't require signatures or patches—it identifies exploitation attempts based on what they do, not which specific vulnerability they target. When an attacker attempts to modify kernel memory structures, escalate process credentials, or tamper with security controls, those actions are detectable regardless of the underlying CVE.

What proactive hardening changes

The organizations that navigated 2025 without major kernel-related incidents shared common characteristics. They didn't rely solely on patching. They implemented controls that work before patches exist.

Runtime kernel integrity monitoring detects exploitation attempts as they happen. When an attacker tries to escalate privileges through credential modification, the attempt is caught and blocked—even for zero-day vulnerabilities with no CVE number and no available patch.

Pre-hardened OS configurations reduce the attack surface from day one. Rather than spending weeks manually applying hardening benchmarks, organizations start with 95%+ compliance and maintain it through ongoing updates.

The performance cost is minimal. Kernel integrity monitoring adds approximately 2.5% overhead—a fraction of the $4.45 million average cost of a data breach.⁹ For organizations that experienced kernel exploitation in 2025, the ROI calculation is straightforward.

Preparing for 2026

The kernel CVE flood shows no sign of slowing. Ransomware groups continue investing in Linux capabilities, recognizing that enterprise infrastructure increasingly runs on Linux—especially in cloud, container, and virtualization environments.

Federal mandates are tightening. CISA's KEV catalog creates operational requirements for federal agencies, and the expectation is spreading to contractors and regulated industries. Demonstrating proactive security posture is becoming a compliance requirement, not just a best practice.

The organizations that avoided 2025's worst outcomes didn't have special intelligence about which CVEs would be exploited. They had protection that works regardless of which specific vulnerability attackers choose. That's the difference between reactive and proactive security—and 2025 demonstrated which approach holds up under pressure.

RLC-H provides that protection out of the box: pre-hardened configuration, runtime kernel integrity monitoring through LKRG, and the defense-in-depth architecture that modern threats require. The question for 2026 isn't whether kernel exploits will continue—it's whether your infrastructure will be protected when they do.

References

¹Linux Journal, "The Most Critical Linux Kernel Breaches of 2025 So Far," November 2025. https://www.linuxjournal.com/content/most-critical-linux-kernel-breaches-2025-so-far

²LinuxSecurity, "7 Linux Kernel Vulnerabilities Exploited in 2025," October 2025. https://linuxsecurity.com/news/security-vulnerabilities/7-linux-kernel-vulnerabilities-exploited-in-2025

³Trend Micro, "Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques," October 2025. https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html

⁴TuxCare, "The Linux Kernel CVE Flood Continues Unabated in 2025," March 2025. https://tuxcare.com/blog/the-linux-kernel-cve-flood-continues-unabated-in-2025/

⁵Notselwyn, "Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques," pwning.tech, March 2024. https://pwning.tech/nftables/

⁶Sysdig, "Detecting CVE-2024-1086: The decade-old Linux kernel vulnerability that's being actively exploited in ransomware campaigns," December 2025. https://www.sysdig.com/blog/detecting-cve-2024-1086-the-decade-old-linux-kernel-vulnerability-thats-being-actively-exploited-in-ransomware-campaigns

⁷GBHackers, "Critical Linux Kernel Flaw (CVE-2025-21756) Allows Privilege Escalation," April 2025. https://gbhackers.com/critical-linux-kernel-flaw/

⁸Industrial Cyber, "Agenda ransomware abusing remote access, backup tools to escalate attacks on critical infrastructure in 2025," October 2025. https://industrialcyber.co/ransomware/agenda-ransomware-abusing-remote-access-backup-tools-to-escalate-attacks-on-critical-infrastructure-in-2025/

⁹IBM, "Cost of a Data Breach Report 2024." https://www.ibm.com/reports/data-breach