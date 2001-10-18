A high-severity cache invalidation bug in the Linux kernel has been uncovered, which could allow an attacker to gain root privileges on the targeted system.

This is the second kernel flaw in Linux to debut in the last week; a local-privilege escalation issue was also recently discovered.

The flaw (CVE-2018-17182), which exists in Linux memory management in kernel versions 3.16 through 4.18.8, can be exploited in many different ways, “even from relatively strongly sandboxed contexts,” according to Jann Horn, a researcher with Google Project Zero.

The Linux team fixed the problem in the upstream kernel tree within two days of Horn responsibly reporting it on Sept. 18, which Horn said was “exceptionally fast, compared to the fix times of other software vendors.”

The bad news is that Debian stable and Ubuntu releases 16.04 and 18.04 have not yet patched the vulnerability – and Android users remain at risk.

“Android only ships security updates once a month,” Horn said, in a blog post on the flaw this week. “Therefore, when a security-critical fix is available in an upstream stable kernel, it can still take weeks before the fix is actually available to users—especially if the security impact is not announced publicly.”

The Flaw