CVE-2021-22555
published 2021-07-07CVE-2021-22555: A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a…
PriorityP189high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-27
Exploited in the wild
EPSS
78.68%
99.5th percentile
A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 5.10.38-1 (bookworm) | linux 5.10.38-1 (bookworm) |
| linux | linux_kernel | >= 0 < 5.10.38-1 | 5.10.38-1 |
| linux | linux_kernel | >= 0 < 5.10.38-1 | 5.10.38-1 |
| linux | linux_kernel | >= 0 < 5.10.38-1 | 5.10.38-1 |
| linux | linux_kernel | >= 0 < 5.10.38-1 | 5.10.38-1 |
| linux | linux_kernel | >= 0 < 4.4.0-214.246 | 4.4.0-214.246 |
| linux | linux_kernel | >= 0 < 4.4.0-213.245 | 4.4.0-213.245 |
| linux | linux_kernel | >= 0 < 4.4.0-218.251 | 4.4.0-218.251 |
| linux | linux_kernel | >= 0 < 4.15.0-156.163 | 4.15.0-156.163 |
| linux | linux_kernel | >= 0 < 4.15.0-144.148 | 4.15.0-144.148 |
| linux | linux_kernel | >= 0 < 4.15.0-166.174 | 4.15.0-166.174 |
| linux | linux_kernel | >= 0 < 5.4.0-84.94 | 5.4.0-84.94 |
| linux | linux_kernel | >= 0 < 5.4.0-74.83 | 5.4.0-74.83 |
| linux | linux_kernel | >= 0 < 5.4.0-92.103 | 5.4.0-92.103 |
| linux | linux_kernel | >= 2.6.19 < 4.4.267 | 4.4.267 |
| linux | linux_kernel | >= 2.6.19-rc1 < unspecified | unspecified |
| linux | linux_kernel | >= 4.10 < 4.14.231 | 4.14.231 |
| linux | linux_kernel | >= 4.15 < 4.19.188 | 4.19.188 |
| linux | linux_kernel | >= 4.20 < 5.4.113 | 5.4.113 |
| linux | linux_kernel | >= 4.5 < 4.9.267 | 4.9.267 |
| linux | linux_kernel | >= 5.11 < 5.12 | 5.12 |
| linux | linux_kernel | >= 5.5 < 5.10.31 | 5.10.31 |
| paloalto | pan-os | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets the xt_compat_target_from_user() function in net/netfilter/x_tables.c via setsockopt with IPT_SO_SET_REPLACE or IP6T_SO_SET_REPLACE from a 32-bit process on a 64-bit system; monitor for unprivileged processes invoking these setsockopt options. ↗
- →Exploit requires user namespaces (CONFIG_USER_NS + CONFIG_NET_NS); monitor for unprivileged calls to unshare(CLONE_NEWUSER) or unshare(CLONE_NEWNET) as a precursor to exploitation. ↗
- →Post-exploitation stage escapes container by calling setns() on /proc/1/ns/mnt, /proc/1/ns/pid, and /proc/1/ns/net; monitor for unprivileged processes opening /proc/1/ns/* file descriptors. ↗
- →Exploit overwrites modprobe_path kernel variable to achieve arbitrary code execution as root; monitor for unexpected changes to the modprobe_path kernel symbol value (e.g., via /proc/sys or kernel debugger). ↗
- →Exploit triggers modprobe_path execution by writing a file with an unknown magic number (0xdeadbeef) and executing it; detect creation and execution of files with magic bytes 0xEF 0xBE 0xAD 0xDE by non-root users. ↗
- →CVE-2021-22555 was observed being exploited in the wild by the Earth Krahang APT for Linux privilege escalation alongside CVE-2021-4034 and CVE-2016-5195; correlate Linux priv-esc attempts with these CVEs in the same intrusion. ↗
- →Exploit uses msg_msg / skbuff heap spray with 4096 message queues (NUM_MSQIDS) and 256 pipe file descriptors (NUM_PIPEFDS) to manipulate slab allocator; anomalous creation of thousands of IPC message queues by a single process is a strong indicator. ↗
- ·Exploitation via unprivileged users is only possible when the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS; on RHEL 7 only privileged users can trigger the bug. ↗
- ·On RHEL 8, the impact is limited to corruption of 4 bytes of memory for a regular user; full privilege escalation requires additional conditions. ↗
- ·Mitigation: disable unprivileged user namespaces by setting user.max_user_namespaces = 0 in /etc/sysctl.d/; note this breaks Linux container workloads. ↗
- ·The public exploit (exploit-db 50135) contains hardcoded kernel-specific ROP gadget offsets for KERNEL_COS_5_4_89 and KERNEL_UBUNTU_5_8_0_48; it will not work on other kernel builds without modification. ↗
- ·Kernels up to and including 5.11 are vulnerable; kernels beyond this version are not affected per NVD configuration data. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv7.8HIGH
vulncheck8.3HIGH
cisa7.8HIGH
vendor_debian8.3HIGH
vendor_redhat8.3HIGH
vendor_ubuntu8.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Linux Kernel Heap Out-of-Bounds Write Vulnerability
cisa·2025-10-06·CVSS 7.8
CVE-2021-22555 [HIGH] CWE-787 Linux Kernel Heap Out-of-Bounds Write Vulnerability
Vulnerability: Linux Kernel Heap Out-of-Bounds Write Vulnerability
Affected: Linux Kernel
Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21 ; https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=b29c457a6511435960115c0f548c4360d5f4801d ; https://security.netapp.com/advisory/ntap-20210
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-02-14·CVSS 9.8
CVE-2017-18342 [CRITICAL] PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-18342, CVE-2017-8923, CVE-2017-9120, CVE-2019-1551, CVE-2019-16865, CVE-2019-16905, CVE-2019-19523, CVE-2019-19528, CVE-2019-19911, CVE-2020-0404, CVE-2020-0431, CVE-2020-0466, CVE-2020-10379, CVE-2020-11538, CVE-2020-11608, CVE-2020-12114, CVE-2020-12321, CVE-2020-12362, CVE-2020-12363, CVE-2020-12364, CVE-2020-13757, CVE-2020-14314, CVE-2020-14351, CVE-2020-15778, CVE-2020-1967, CVE-2020-24394, CVE-2020-24504, CVE-2020-25211, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25717, CVE-2020-26541, CVE-2020-2715
Ubuntu
Kernel Live Patch Security Notice
vendor_ubuntu·2022-01-06·CVSS 7.8
CVE-2021-33909 [HIGH] Kernel Live Patch Security Notice
Title: Kernel Live Patch Security Notice
Summary: Several security issues were fixed in the kernel.
The BPF subsystem in the Linux kernel before 4.17 mishandles
situations with a long jump over an instruction sequence where inner
instructions require substantial expansions into multiple BPF instructions,
leading to an overflow. This affects kernel/bpf/core.c and
net/core/filter.c.(CVE-2018-25020)
Maxim Levitsky discovered that the KVM hypervisor implementation for AMD
processors in the Linux kernel did not properly prevent a guest VM from
enabling AVIC in nested guest VMs. An attacker in a guest VM could use this
to write to portions of the host's physical memory.(CVE-2021-3653)
Nadav Amit discovered that the hugetlb implementation in the Linux kernel
did not perform TLB flushes under
Ubuntu
Kernel Live Patch Security Notice
vendor_ubuntu·2021-09-13·CVSS 8.3
CVE-2021-3653 [HIGH] Kernel Live Patch Security Notice
Title: Kernel Live Patch Security Notice
Summary: Several security issues were fixed in the kernel.
Maxim Levitsky discovered that the KVM hypervisor implementation for AMD
processors in the Linux kernel did not properly prevent a guest VM from
enabling AVIC in nested guest VMs. An attacker in a guest VM could use this
to write to portions of the host's physical memory.(CVE-2021-3653)
Maxim Levitsky and Paolo Bonzini discovered that the KVM hypervisor
implementation for AMD processors in the Linux kernel allowed a guest VM to
disable restrictions on VMLOAD/VMSAVE in a nested guest. An attacker in a
guest VM could use this to read or write portions of the host's physical
memory.(CVE-2021-3656)
Andy Nguyen discovered that the netfilter subsystem in the Linux kernel
contained an out-of-bo
Ubuntu
Kernel Live Patch Security Notice
vendor_ubuntu·2021-08-16·CVSS 8.3
CVE-2021-22555 [HIGH] Kernel Live Patch Security Notice
Title: Kernel Live Patch Security Notice
Summary: Several security issues were fixed in the kernel.
Andy Nguyen discovered that the netfilter subsystem in the Linux kernel
contained an out-of-bounds write in its setsockopt() implementation. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.(CVE-2021-22555)
Ubuntu
Linux kernel vulnerability
vendor_ubuntu·2021-08-12
CVE-2021-22555 Linux kernel vulnerability
Title: Linux kernel vulnerability
Summary: The system could be made to crash or run programs as an administrator.
Andy Nguyen discovered that the netfilter subsystem in the Linux kernel
contained an out-of-bounds write in its setsockopt() implementation. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE,
Red Hat
kernel: out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c
vendor_redhat·2021-07-07·CVSS 8.3
CVE-2021-22555 [HIGH] CWE-787 kernel: out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c
kernel: out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c
A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space
A flaw was discovered in processing setsockopt IPT_SO_SET_REPLACE (or IP6T_SO_SET_REPLACE) for 32 bit processes on 64 bit systems. This flaw will allow local user to gain privileges or cause a DoS through user name space. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges.
Statement: In Red Hat Enterprise Linux 7, only privileged users can trigger t
Debian
CVE-2021-22555: linux - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in n...
vendor_debian·2021·CVSS 8.3
CVE-2021-22555 [HIGH] CVE-2021-22555: linux - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in n...
A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space
Scope: local
bookworm: resolved (fixed in 5.10.38-1)
bullseye: resolved (fixed in 5.10.38-1)
forky: resolved (fixed in 5.10.38-1)
sid: resolved (fixed in 5.10.38-1)
trixie: resolved (fixed in 5.10.38-1)
Kernel
ipc, msg: Use dedicated slab buckets for alloc_msg()
kernel_security·2024-07-01·CVSS 7.0
CVE-2021-26708 [HIGH] ipc, msg: Use dedicated slab buckets for alloc_msg()
ipc, msg: Use dedicated slab buckets for alloc_msg()
The msg subsystem is a common target for exploiting[1][2][3][4][5][6][7]
use-after-free type confusion flaws in the kernel for both read and write
primitives. Avoid having a user-controlled dynamically-size allocation
share the global kmalloc cache by using a separate set of kmalloc buckets
via the kmem_buckets API.
Link: https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study/ [1]
Link: https://hardenedvault.net/blog/2022-11-13-msg_msg-recon-mitigation-ved/ [2]
Link: https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html [3]
Link: https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html [4]
Link: https://google.github.io/security-research/pocs/linux/cve-2021-22555/
OSV
Kernel Live Patch Security Notice
osv·2022-01-06·CVSS 7.8
CVE-2018-25020 [HIGH] Kernel Live Patch Security Notice
Kernel Live Patch Security Notice
The BPF subsystem in the Linux kernel before 4.17 mishandles
situations with a long jump over an instruction sequence where inner
instructions require substantial expansions into multiple BPF instructions,
leading to an overflow. This affects kernel/bpf/core.c and
net/core/filter.c.(CVE-2018-25020)
Maxim Levitsky discovered that the KVM hypervisor implementation for AMD
processors in the Linux kernel did not properly prevent a guest VM from
enabling AVIC in nested guest VMs. An attacker in a guest VM could use this
to write to portions of the host's physical memory.(CVE-2021-3653)
Nadav Amit discovered that the hugetlb implementation in the Linux kernel
did not perform TLB flushes under certain conditions. A local attacker
could use this to leak or alte
OSV
CVE-2021-22555: In xt_compat_target_from_user of x_tables
osv·2021-10-01
CVE-2021-22555 CVE-2021-22555: In xt_compat_target_from_user of x_tables
In xt_compat_target_from_user of x_tables.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
OSV
Kernel Live Patch Security Notice
osv·2021-09-13·CVSS 7.8
CVE-2021-3653 [HIGH] Kernel Live Patch Security Notice
Kernel Live Patch Security Notice
Maxim Levitsky discovered that the KVM hypervisor implementation for AMD
processors in the Linux kernel did not properly prevent a guest VM from
enabling AVIC in nested guest VMs. An attacker in a guest VM could use this
to write to portions of the host's physical memory.(CVE-2021-3653)
Maxim Levitsky and Paolo Bonzini discovered that the KVM hypervisor
implementation for AMD processors in the Linux kernel allowed a guest VM to
disable restrictions on VMLOAD/VMSAVE in a nested guest. An attacker in a
guest VM could use this to read or write portions of the host's physical
memory.(CVE-2021-3656)
Andy Nguyen discovered that the netfilter subsystem in the Linux kernel
contained an out-of-bounds write in its setsockopt() implementation. A
local attacker cou
OSV
Kernel Live Patch Security Notice
osv·2021-08-16·CVSS 7.8
CVE-2021-22555 [HIGH] Kernel Live Patch Security Notice
Kernel Live Patch Security Notice
Andy Nguyen discovered that the netfilter subsystem in the Linux kernel
contained an out-of-bounds write in its setsockopt() implementation. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.(CVE-2021-22555)
OSV
CVE-2021-22555: A heap out-of-bounds write affecting Linux since v2
osv·2021-07-07·CVSS 7.8
CVE-2021-22555 [HIGH] CVE-2021-22555: A heap out-of-bounds write affecting Linux since v2
A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space
VulnCheck
Linux Kernel Heap Out-of-Bounds Write Vulnerability
vulncheck·2021·CVSS 8.3
CVE-2021-22555 [HIGH] CWE-787 Linux Kernel Heap Out-of-Bounds Write Vulnerability
Linux Kernel Heap Out-of-Bounds Write Vulnerability
Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.
Affected: Linux Kernel
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html; https://securelist.com/vulnerabilities-and-exploits-in-q2-2025/117333/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://securelist.com/vulnerabilities-and-exploits-in-q3-2025/118197/; https://www.loginsoft.com/reports/ann
No detection rules found.
Exploit-DB
Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation
exploitdb·2021-07-15·CVSS 8.3
CVE-2021-22555 [HIGH] Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation
Linux Kernel 2.6.19
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
// clang-format on
#define PAGE_SIZE 0x1000
#define PRIMARY_SIZE 0x1000
#define SECONDARY_SIZE 0x400
#define NUM_SOCKETS 4
#define NUM_SKBUFFS 128
#define NUM_PIPEFDS 256
#define NUM_MSQIDS 4096
#define HOLE_STEP 1024
#define MTYPE_PRIMARY 0x41
#define MTYPE_SECONDARY 0x42
#define MTYPE_FAKE 0x1337
#define MSG_TAG 0xAAAAAAAA
// #define KERNEL_COS_5_4_89 1
#define KERNEL_UBUNTU_5_8_0_48 1
// clang-format off
#ifdef KERNEL_COS_5_4_89
// 0xffffffff810360f8 : push rax ; jmp qword ptr [rcx]
#define PUSH_RAX_JMP_QWORD_PTR_RCX 0x360F8
// 0xffffffff815401df : pop rsp ; pop rbx ; ret
#define POP_RSP_POP_RBX_RET 0x5401DF
// 0xffffffff816d3
Metasploit
Netfilter x_tables Heap OOB Write Privilege Escalation
metasploit·CVSS 7.8
CVE-2021-22555 [HIGH] Netfilter x_tables Heap OOB Write Privilege Escalation
Netfilter x_tables Heap OOB Write Privilege Escalation
A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space. Kernels up to 5.11 (including) are vulnerable. More information about vulnerable kernels is available at https://nvd.nist.gov/vuln/detail/CVE-2021-22555#vulnConfigurationsArea
Securelist
Exploits and vulnerabilities in Q1 2026
blogs_securelist·2026-05-07·CVSS 7.8
CVE-2026-21519 [HIGH] Exploits and vulnerabilities in Q1 2026
Alexander Kolesnikov
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
CVE-2026-21519: Desktop Window Manager vulnerability
RegPwn (CVE-2026-21533): a system settings access control vulnerability
CVE-2026-21514: a Microsoft Office vulnerability
Clawdbot (CVE-2026-25253): an OpenClaw vulnerability
CVE-2026-34070: LangChain framework vulnerability
CVE-2026-22812: an OpenCode vulnerability
Conclusion and advice
Authors
Alexander Kolesnikov
During Q1 2026, the exploit kits leveraged by threat actors to target user systems expanded once again, incorporating new exploits for the Microsoft Off
Securelist
Vulnerability landscape in Q4 2025
blogs_securelist·2026-03-06
Vulnerability landscape in Q4 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Notable vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately.
In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025.
## Statistics on registered vulnerabilities
This section contains statistics on regis
Securelist
Exploits and vulnerabilities in Q4 2025
blogs_securelist·2026-03-06·CVSS 7.8
CVE-2025-55182 [HIGH] Exploits and vulnerabilities in Q4 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
React2Shell (CVE-2025-55182): a vulnerability in React Server Components
CVE-2025-54100: command injection during the execution of curl (Invoke-WebRequest)
CVE-2025-11001: a vulnerability in 7-Zip
RediShell (CVE-2025-49844): a vulnerability in Redis
CVE-2025-24990: a vulnerability in the ltmdm64.sys driver
CVE-2025-59287: a vulnerability in Windows Server Update Services (WSUS)
Conclusion and advice
Authors
Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vul
Securelist
Exploits and vulnerabilities in Q3 2025
blogs_securelist·2025-12-03·CVSS 7.8
CVE-2025-49704 [HIGH] Exploits and vulnerabilities in Q3 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Interesting vulnerabilities
ToolShell (CVE-2025-49704 and CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771): insecure deserialization and an authentication bypass
CVE-2025-8088: a directory traversal vulnerability in WinRAR
CVE-2025-41244: a privilege escalation vulnerability in VMware Aria Operations and VMware Tools
Conclusion and advice
Authors
Alexander Kolesnikov
In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vuln
Securelist
Analyzing the vulnerability landscape in Q3 2025
blogs_securelist·2025-12-03
Analyzing the vulnerability landscape in Q3 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulnerabilities and exploits, the most common security issues impacting Windows and Linux, and the vulnerabilities being leveraged in APT attacks that lead to the launch of widespread C2 frameworks. The report utilizes anonymized Kaspersky Security Network data, which was consensually provided by our users, as well as information from open sources.
## Statistics on
Securelist
Vulnerability landscape analysis for Q2 2025
blogs_securelist·2025-08-27
Vulnerability landscape analysis for Q2 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published impact the security of nearly every computer subsystem: UEFI, drivers, operating systems, browsers, as well as user and web applications. Based on our analysis, threat actors continue to leverage vulnerabilities in real-world attacks as a means of gaining access to user systems, just like in previous periods.
This report also describes known vulnerabilities used with popular C2 frameworks during the first half of 2025.
## Statistics on registered vulnera
Trendmicro
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
blogs_trendmicro·2024-03-18
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
APT & Targeted Attacks
# Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa.
By: Joseph C Chen, Daniel Lunghi
2024/03/18
Read time: ( words)
Save to Folio
## Introduction
Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa. The threat actor exploits public-facing servers and sends spear phishing emails to deliver previously unseen backdoors.
Our research allowed us to identify the campaign’s multiple connect
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
arXiv
KernJC: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities
arxiv_fulltext·2024-09-24
KernJC: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities
: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities
Bonan Ruan
National University of Singapore
Jiahao Liu
National University of Singapore
Chuqi Zhang
National University of Singapore
Zhenkai Liang
National University of Singapore
## Abstract
Linux kernel vulnerability reproduction is a critical task in system security.
To reproduce a kernel vulnerability, the vulnerable environment and the Proof of Concept (PoC) program are needed.
Most existing research focuses on the generation of PoC, while the construction of environment is overlooked.
However, establishing an effective vulnerable environment to trigger a vulnerability is challenging.
Firstly, it is hard to guarantee that the selected kernel version for reproduction is vulnerable, as the vulner
arXiv
BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS
arxiv_fulltext·2024-09-15
BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS
BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS-1em
Yinggang Guo12,
Zicheng Wang1,
Weiheng Bai2,
Qingkai Zeng1 and
Kangjie Lu2
1State Key Laboratory for Novel Software Technology, Nanjing University, 2University of Minnesota
\gyg, wzc\@smail.nju.edu.cn, [email protected], [email protected], [email protected]
\@IEEEpubidpullup6.5
Network and Distributed System Security (NDSS) Symposium 2025
23 - 28 February 2025, San Diego, CA, USA
ISBN 979-8-9894372-8-3
https://dx.doi.org/10.14722/ndss.2025.23328
www.ndss-symposium.org
[ ]
## Abstract
The endless stream of vulnerabilities urgently calls for principled mitigation to confine the effect of exploitation. However, the monolithic architecture of commodity OS kernels, like the Linux kernel, allows an attacker to co
arXiv
Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems
arxiv_fulltext·2024-09-07
Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems
Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems
Jinmeng Zhou, Jiayi Hu, Ziyue Pan, Jiaxun Zhu, Wenbo Shen, Guoren Li, Zhiyun Qian
Jinmeng Zhou, Jiayi Hu, Ziyue Pan, Jiaxun Zhu and Wenbo Shen are with the College of Computer Science and Technology at Zhejiang University, Hangzhou, Zhejiang, 310027, China.
Email: \jinmengzhou, hujiayi, ziyuepan, sevenswords, shenwenbo\@zju.edu.cn;
Guoren Li and Zhiyun Qian are with the Department of Computer Science and Engineering, University of California, Riverside 92521, USA.
Email: [email protected] and [email protected];
Wenbo Shen is the corresponding author.
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. XX, 20XX
Shell et al.: A Sample Article Using IEEEtran.cls for IEEE Journals
## Abstra
CTF
pwn_me_if_you_kern / pwn_me_if_you_kern
ctf_writeups·2023
pwn_me_if_you_kern / pwn_me_if_you_kern
---
title: "[pwnme 2023 - pwn] PwnMeIfYouKern"
date: 2023-09-05
tags: ["ctf", "tek", "linux", "kernel"]
---
PwnMeIfYouKern was a linux kernel exploitation challenge from pwnme 2023.
There were no SMAP or SMEP, but KASLR was activated.
```sh
user@PwnMeIfYouKern:~$ cat /proc/cpuinfo | grep sm.p
user@PwnMeIfYouKern:~$ cat /proc/cmdline
console=ttyS0 loglevel=3 oops=panic panic=1 kaslr
user@PwnMeIfYouKern:~$ cat /proc/sys/vm/mmap_min_addr
4096
```
## TL;DR
- we manipulate elements from a linked list
- each element contains a buffer, his size, and a pointer to the next element of
the list
- there is a buffer overflow, we can change the size of the buffer to leak data,
and overwrite the pointer to the next element to get an arbitrary read/write
- break kaslr by leaking a `pipe_buffer` structu
http://packetstormsecurity.com/files/163528/Linux-Kernel-Netfilter-Heap-Out-Of-Bounds-Write.htmlhttp://packetstormsecurity.com/files/163878/Kernel-Live-Patch-Security-Notice-LSN-0080-1.htmlhttp://packetstormsecurity.com/files/164155/Kernel-Live-Patch-Security-Notice-LSN-0081-1.htmlhttp://packetstormsecurity.com/files/164437/Netfilter-x_tables-Heap-Out-Of-Bounds-Write-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/165477/Kernel-Live-Patch-Security-Notice-LSN-0083-1.htmlhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=b29c457a6511435960115c0f548c4360d5f4801dhttps://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528https://security.netapp.com/advisory/ntap-20210805-0010/http://packetstormsecurity.com/files/163528/Linux-Kernel-Netfilter-Heap-Out-Of-Bounds-Write.htmlhttp://packetstormsecurity.com/files/163878/Kernel-Live-Patch-Security-Notice-LSN-0080-1.htmlhttp://packetstormsecurity.com/files/164155/Kernel-Live-Patch-Security-Notice-LSN-0081-1.htmlhttp://packetstormsecurity.com/files/164437/Netfilter-x_tables-Heap-Out-Of-Bounds-Write-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/165477/Kernel-Live-Patch-Security-Notice-LSN-0083-1.htmlhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=b29c457a6511435960115c0f548c4360d5f4801dhttps://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528https://security.netapp.com/advisory/ntap-20210805-0010/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22555
2021-07-07
Published
2025-10-06
Added to CISA KEV
Exploited in the wild