Hello, I checked LinkedIn and the CEO of a Security firm posted this (translated from Spanish): > I have just discovered a #vulnerability in the #Linux #kernel that > allows forcing a crash (exploitable locally, and in certain scenarios, > remotely). > > The issue lies in the RCU subsystem, which is critical for the > kernel's memory management. Unintentionally, I have found a way to > generate a "lock" in this subsystem, causing the kernel's own memory > management operations to fail (callbacks, memory allocation for process > structures, etc.). Unable to recover, a kernel panic occurs (the > equivalent of the Windows BSOD). > > I don't know how many kernel versions may be affected, as this > subsystem has been part of Linux for over two decades and I imagine > it has undergone many changes. However, the attack works on a version > of the 6.X branch like clockwork. > > I believe this bug could be dangerous in shared hosting environments, > VPS, etc. > > Let's see if I can find time to report it. Or not. If I see it can be > militarized (for remote attacks), I will add it to our #0day arsenal > for #pentest. Some clients sometimes simply want to see how a server > crashes to test contingency plans, etc. > > If I cannot exploit it remotely, or it doesn't have much value, I will > report it, as always. Unfortunately, our company cannot afford the > luxury of reporting interesting vulnerabilities (that serve us in our > day-to-day) for free. This is something that is sometimes not > understood, but we are an offensive security company (genuine), > we do not live off cloud smells. He appends a screenshot which I have saved in the WayBack Machine here: https://web.archive.org/web/20250115103832/https://www.linkedin.com/feed/update/urn:li:activity:7284277163200057344/ While I know this may be a bluff, I prefer reporting it first, just in case it is not. Best regards, Sergio M. Iglesias.
