Nine-Year-Old Linux Kernel Bug Quietly Handed Root Access to Anyone Who Asked

A security flaw sitting undetected in the Linux kernel for nine years has been found to allow unprivileged users to execute commands as root on a wide range of major distributions. That's not a typo. Nine years.

The vulnerability affects a core kernel component and has been present across distributions including Ubuntu, Debian, Fedora, and others that between them run a substantial chunk of the world's servers, cloud infrastructure, and development machines. The kind of thing that keeps sysadmins up at night, assuming they've heard about it yet.

Details on the exact mechanism are still being digested by the security community, but the short version is that a local attacker with no special privileges can exploit this to gain full root-level code execution. Local privilege escalation flaws don't get the headlines that remote code execution bugs do, but in practice they're often just as dangerous. You only need one foothold.

Nine years is a long time. The flaw predates entire generations of tooling, container runtimes, and cloud platforms that were built on top of a kernel carrying this particular piece of baggage. Whether it was ever actively exploited in the wild before disclosure is, at this point, anyone's guess.

Patches are being pushed across affected distributions. If you're running Linux and haven't applied recent kernel updates, now is not the time to procrastinate.