Active Exploitation Confirmed
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a Linux kernel vulnerability that is being actively exploited in real-world attacks. The flaw, which involves improper authentication in the kernel’s control groups (cgroups) mechanism, allows local attackers to escalate privileges. The agency added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling credible evidence of active exploitation.
Mechanism and Impact
The vulnerability lies in the cgroups v1 release_agent feature, which lacks sufficient validation and authentication controls. This function is designed to execute a script when a control group becomes empty. An attacker who has already gained initial access, such as through a compromised container, can manipulate this mechanism to run arbitrary commands with elevated privileges. This can lead to container escape, giving the attacker root level access on the host system and enabling lateral movement within cloud infrastructure. The issue is classified under improper authentication and missing authorization weaknesses.
Mitigation Requirements
Federal agencies are required to apply patches or implement mitigations by early June 2026 under a binding operational directive. Organizations using Linux systems, particularly those in containerized or cloud native environments, are strongly urged to update their kernel to a patched version that addresses the release_agent issue promptly to reduce the risk of compromise.
Source: Cyber Security News
