There's a security flaw in the Amazon WorkSpaces client for Linux that affects versions 2023.0 to 2024.8. This flaw can allow local users to access another user's authentication token, potentially giving them access to their WorkSpace. To fix this, users should upgrade to version 2025.0 or later.

This article examines the average lifespan of kernel bugs, revealing they typically go undetected for over two years, with some lasting nearly 21 years. It highlights a tool that identifies historical bugs and discusses trends in bug discovery, particularly improvements in recent years.

Lynis is a security auditing tool for UNIX-based systems like Linux and macOS. It scans for vulnerabilities, configuration issues, and compliance with standards such as ISO27001 and PCI-DSS. System administrators and security professionals use it to enhance system defenses.

This article discusses a proof-of-concept for sleep obfuscation on Linux using sigreturn-oriented programming (SROP). It focuses on encrypting PT_LOAD segments and the heap to enhance security. The approach aims to protect processes from certain types of attacks.

This article explains a C++23 tool called Klint for incident response on Linux systems. It detects hidden kernel modules, rootkits, and other threats through multiple self-registering scanners. The tool runs in isolated processes and produces machine-readable JSON output for easy integration into automated workflows.

Vuls is a vulnerability scanner for Linux, FreeBSD, Windows, and macOS that operates without agents. It automates vulnerability detection, reports affected servers, and generates regular reports to streamline security management for system administrators.

Google Big Sleep has published reports detailing several fixed vulnerabilities in the Linux kernel. The post provides a link to the full list of issues they discovered and addressed. This information is relevant for anyone concerned about Linux security.

Researchers found a sophisticated malware framework called VoidLink that targets Linux machines, particularly in cloud environments. It has over 30 customizable modules for reconnaissance, privilege escalation, and stealth, indicating a shift towards targeting Linux systems by professional threat actors.

Fail2Ban monitors log files for failed login attempts and bans offending IP addresses by updating firewall rules. It supports both IPv4 and IPv6 and can be configured for various services. While it helps reduce unauthorized access, it’s best used alongside stronger authentication methods like two-factor authentication.

VoidLink is a sophisticated malware framework targeting Linux systems, designed for stealthy, long-term access in cloud environments. It features a flexible architecture with over 30 plugins, capable of adapting its behavior based on the detected environment and employing various evasion techniques. The framework is linked to Chinese-affiliated developers and shows signs of rapid evolution.

This article details the architecture and techniques of Singularity, a Loadable Kernel Module rootkit for Linux 6.x. It covers methods for process concealment, file system stealth, and privilege escalation, highlighting how it evades detection through advanced hooking and anti-forensic tactics.

The article discusses how the author utilized the O3 tool to identify CVE-2025-37899, a remote zero-day vulnerability in the SMB implementation of the Linux kernel. It details the process of discovering the vulnerability and its implications for security practices in the Linux environment.

The author reflects on their initial disdain for systemd, which replaced traditional init systems and introduced a binary logging format, but ultimately concludes that systemd has been a successful evolution in process management for Linux. They highlight its backward compatibility, improved logging, scheduling, and enhanced security features, arguing that it has addressed many shortcomings of previous init systems and brought valuable new functionality.

The author discusses the challenge of creating a stable authenticated 0-click exploit for the Linux Kernel SMB3 Daemon (ksmbd), using real-world CVEs to demonstrate the process. They detail the selection of specific vulnerabilities, including a controlled SLUB overflow and an authenticated remote leak, to build an effective exploit chain. The article emphasizes the abundance of vulnerabilities in ksmbd and the importance of vulnerability research in developing exploits.

A new rootkit leveraging the io_uring interface has been discovered, capable of bypassing traditional Linux security measures. This malicious software operates at a low level, allowing it to evade detection and maintain persistence on infected systems, raising significant concerns for system administrators and security professionals.

Linux is experiencing growth on business desktops and laptops, increasing from 1.6% to 1.9% between January and June 2025, with a notable rise to 2.5% for new assets. The trend is attributed to heightened cybersecurity concerns and a shift towards DevOps practices, with Europe leading in adoption rates. Despite this gradual growth, challenges remain due to software compatibility and user familiarity with Linux compared to Windows and Mac systems.

A new Linux malware called "Plague" has been discovered, allowing attackers persistent SSH access while evading traditional detection methods for over a year. It employs advanced obfuscation techniques and environment tampering to eliminate traces of malicious activity, making it particularly difficult to identify and analyze. Researchers emphasize its sophisticated nature and the ongoing threat it poses to Linux systems.

FlipSwitch is a novel syscall hooking technique developed to bypass the changes introduced in Linux kernel 6.9 that neutralized traditional hooking methods. By directly patching the syscall dispatcher's machine code, FlipSwitch allows rootkits to redirect syscalls while remaining stealthy, posing ongoing challenges for kernel security. Detection methods, including YARA rules, have been devised to identify this rootkit in memory or on disk.

The article discusses a Linux-based cryptominer that has been discovered, detailing its operation and potential impact on system performance and security. It also highlights the methods used by the malware to hide its presence and evade detection. Users are advised to take necessary precautions to protect their systems from such threats.

The XZ-Utils backdoor, discovered in March 2024, remains present in at least 35 Linux images on Docker Hub, posing risks to users and organizations. Despite being reported, Debian has chosen not to remove the compromised images, citing low risk, which has raised concerns among researchers about the potential for accidental use in automated builds. Users are advised to ensure they are using updated versions of the affected library to mitigate risks.

Two new vulnerabilities in Linux have been disclosed that can be exploited together to gain full root access. Additionally, CISA has warned of active exploitation of an older vulnerability affecting the Linux kernel, emphasizing the need for organizations to apply patches immediately.

Caracal is a Rust-based tool that leverages eBPF techniques to conceal specific target processes and programs from being visible in various system monitoring tools. It requires a Linux-based OS and the installation of specific dependencies like bpf-linker and Rust's nightly toolchain. Caracal is intended for educational purposes and is distributed under the GPLv3 license.

A significant security vulnerability has been discovered in Lenovo webcams that are based on Linux, potentially allowing unauthorized access and control. Users are advised to update their firmware and take precautions to secure their devices against possible exploitation.

Falco is a cloud native runtime security tool for Linux that monitors real-time events and detects potential threats using custom rules. Originally developed by Sysdig and now maintained under the Cloud Native Computing Foundation, it integrates with container runtimes and Kubernetes, offering features like a command-line utility, plugins, and a structured codebase across multiple repositories. The project encourages community involvement and provides comprehensive documentation for setup and contributions.

KoviD is an open-source Loadable Kernel Module designed for educational and defensive security research, providing a platform for security professionals to understand and combat rootkit techniques within Linux systems. It enables users to analyze rootkit behavior, develop detection methods, and improve security strategies in a controlled environment. The project emphasizes responsible usage and compliance with legal regulations to ensure ethical testing practices.

The article explores Linux capabilities as a fine-grained access control mechanism that allows for more secure privilege management by dividing the traditional superuser privileges into distinct units. It demonstrates how these capabilities can be manipulated to create potential security vulnerabilities, particularly in the context of privilege escalation and backdooring. Additionally, it provides commands for viewing and managing capabilities on Linux systems.