Actively Exploited Linux Kernel Vulnerabilities
CISA Known Exploited Vulnerabilities catalog · Updated daily · View all CVEs
26 Linux kernel CVEs have been confirmed as actively exploited in the wild and are listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. This represents 0.16% of all 15,984 Linux kernel CVEs indexed — a small but extremely high-priority set. Of these, 0 are rated Critical severity and 24 High. The absence of Critical-rated CVEs in this set reflects the gap between CVSS severity and real-world exploitation — many actively exploited vulnerabilities are High rather than Critical because they require local access or low privileges to exploit, which limits their CVSS score despite their practical danger. US federal agencies are required to patch KEV-listed vulnerabilities within defined deadlines. For all organisations, KEV status is the highest-signal indicator for immediate patching priority.
The CISA Known Exploited Vulnerabilities catalog is maintained by the US Cybersecurity and Infrastructure Security Agency. It lists CVEs confirmed as actively exploited in real-world attacks — not just theoretically exploitable. US federal agencies are legally required to patch KEV entries within defined deadlines. For private organisations, KEV status is the most reliable signal for immediate patching priority.
Notable Actively Exploited CVEs
The following CVEs are among the most significant actively exploited Linux kernel vulnerabilities confirmed by CISA.
A use-after-free flaw in the Linux kernel's netfilter nf_tables component allowing local privilege escalation to root. Widely exploited by threat actors on unpatched Linux servers. Affects kernels 3.15–6.7.2. Fixed in 6.1.76, 6.6.15, and 6.7.3. No workaround — patching is the only remediation.
An improper input validation flaw in the Linux kernel's OverlayFS implementation allowing unprivileged local users to gain root on Ubuntu systems. Particularly dangerous in containerised environments — attackers used it to escape Docker containers and escalate to host root. Fixed via Ubuntu kernel security update, April 2021.
Known as Dirty Pipe — a flaw in the Linux kernel's
pipe mechanism allowing unprivileged users to overwrite read-only
files including
/etc/passwd.
Discovered by Max Kellermann and disclosed March 2022.
Affects kernels 5.8–5.16.10. Fixed in 5.16.11, 5.15.25, and 5.10.102.
One of the most widely publicised Linux kernel vulnerabilities
in recent years.
All Actively Exploited Linux Kernel CVEs
26 CVEs in CISA KEV| CVE ID | Package | Severity | CVSS | Published | Description | |
|---|---|---|---|---|---|---|
| CVE-2013-6282 | linux | High KEV | 8.8 | 2013-11-20 | The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not… | |
| CVE-2022-0185 | linux | High KEV | 8.4 | 2022-02-11 | A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functi… | |
| CVE-2013-2597 | linux | High KEV | 8.4 | 2014-08-31 | Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.… | |
| CVE-2013-2094 | linux | High KEV | 8.4 | 2013-05-14 | The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data … | |
| CVE-2026-31431 | linux | High KEV | 7.8 | 2026-04-22 | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-pla… | |
| CVE-2024-53197 | linux | High KEV | 7.8 | 2024-12-27 | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential out-of-bound accesse… | |
| CVE-2024-53104 | linux | High KEV | 7.8 | 2024-12-02 | In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Skip parsing frames of type UVC_VS… | |
| CVE-2024-36971 | linux | High KEV | 7.8 | 2024-06-10 | In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negativ… | |
| CVE-2024-1086 | linux | High KEV | 7.8 | 2024-01-31 | A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local p… | |
| CVE-2023-0386 | linux | High KEV | 7.8 | 2023-03-22 | A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities w… | |
| CVE-2022-0847 | linux | High KEV | 7.8 | 2022-03-10 | A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in co… | |
| CVE-2022-0492 | linux | High KEV | 7.8 | 2022-03-03 | A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. T… | |
| CVE-2021-3493 | linux | High KEV | 7.8 | 2021-04-17 | The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting … | |
| CVE-2019-2215 | linux | High KEV | 7.8 | 2019-10-11 | A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interact… | |
| CVE-2019-13272 | linux | High KEV | 7.8 | 2019-07-17 | In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a proc… | |
| CVE-2018-14634 | linux | High KEV | 7.8 | 2018-09-25 | An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with … | |
| CVE-2017-1000253 | linux | High KEV | 7.8 | 2017-10-05 | Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb… | |
| CVE-2014-3153 | linux | High KEV | 7.8 | 2014-06-07 | The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two dif… | |
| CVE-2013-2596 | linux | High KEV | 7.8 | 2013-04-13 | Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certai… | |
| CVE-2010-3904 | linux | High KEV | 7.8 | 2010-12-06 | The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the… | |
| CVE-2025-38352 | linux | High KEV | 7.4 | 2025-07-22 | In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu… | |
| CVE-2024-53150 | linux | High KEV | 7.1 | 2024-12-24 | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when findi… | |
| CVE-2023-0266 | linux | High KEV | 7.0 | 2023-01-30 | A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 … | |
| CVE-2016-5195 | linux | High KEV | 7.0 | 2016-11-10 | Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by le… | |
| CVE-2024-50302 | linux | Medium KEV | 5.5 | 2024-11-19 | In the Linux kernel, the following vulnerability has been resolved: HID: core: zero-initialize the report buffer Since … | |
| CVE-2014-0196 | linux | Medium KEV | 5.5 | 2014-05-07 | The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver … |