The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new high-severity Linux kernel vulnerability, tracked as CVE-2025-38352, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild. The flaw, disclosed on September 4, 2025, is a Time-of-Check Time-of-Use (TOCTOU) race condition, which creates a critical gap between security checks and resource usage. This type of vulnerability can allow attackers to manipulate system operations during that short window, enabling privilege escalation, data manipulation, or system crashes that directly compromise confidentiality, integrity, and availability.

Inclusion of CVE-2025-38352 in the KEV catalog activates Binding Operational Directive (BOD) 22-01, requiring Federal Civilian Executive Branch (FCEB) agencies to apply patches or discontinue affected systems by September 25, 2025. While mandatory for federal agencies, CISA strongly urges private sector organizations to act swiftly, as Linux powers a massive portion of global infrastructure including web servers, cloud environments, Android devices, and IoT systems making the potential attack surface extremely broad.

Security experts warn that kernel-level vulnerabilities such as this present foundational risks, as exploitation enables attackers to gain deeper access and persistence within networks. Although there is currently no confirmed link to ransomware campaigns, adversaries often use similar exploits for lateral movement and privilege escalation before deploying ransomware or stealing sensitive data. The scale of this vulnerability amplifies the risk across industries, highlighting the urgency of timely mitigation.

To defend against exploitation, CISA advises organizations to immediately apply vendor-provided patches from Linux distribution maintainers such as Red Hat, Canonical (Ubuntu), and SUSE. In cases where patches or mitigations are not yet available, organizations should follow vendor-specific guidance, apply temporary workarounds for cloud services, or discontinue use of affected products to minimize exposure. Given the widespread reliance on Linux, failure to remediate CVE-2025-38352 could have cascading effects across critical infrastructure and enterprise systems worldwide.