The Linux Kernel project reached another milestone with the official release of version 6.18, announced by Linus Torvalds. This update introduces a wide array of architectural changes, hardware enablement improvements, and feature adjustments, while also signaling a notable shift in how certain subsystems are maintained.Although the release is immediately available from kernel.org or Torvalds’ public git tree, users are generally advised to wait for their distributions to publish the update in their stable repositories.
Major Subsystem Changes and the Removal of Bcachefs
One of the most consequential shifts in Linux 6.18 is the complete removal of native support for the Bcachefs file system from the mainline kernel. Bcachefs will now only be obtainable as a DKMS module, marking the first time a kernel release has fully detached it from the core codebase.Alongside this change, Linux 6.18 introduces the Rust Binder driver and a new dm-pcache device-mapper target, enabling persistent memory to serve as a caching layer for slower block devices. Administrators on x86 platforms gain a new microcode= command-line option, offering greater flexibility in controlling microcode-loading behavior.File system updates extend across multiple components. The kernel adds support for file handles within kernel namespaces and introduces initial block-size-greater-than-page-size handling for Btrfs. LoongArch KVM now includes PTW feature detection on newer hardware, while the kernel gains support for running as a guest under FreeBSD’s Bhyve hypervisor.
Networking, Virtualization, and Performance Improvements
Linux 6.18 brings a variety of enhancements to networking and virtualization capabilities. These include PSP encryption support for TCP connections, mixed CQE size support in shared ring buffers, additional Alder Lake-S SoC compatibility, AMD Secure AVIC guest support, and BPF arenas for the PowerPC architecture.Performance-oriented improvements include better swap behavior and improved scaling for NFS servers, complemented by higher UDP receive performance. A new “sheaves” feature aims to optimize kernel memory allocation, while User-mode Linux gains support for sparse interrupts.The EXT4 file system now supports 32-bit reserved user and group IDs and features a new ioctl() interface for querying and adjusting superblock parameters. The TCP stack receives early support for Accurate Explicit Congestion Notification (AccECN), and OverlayFS now provides case-folding functionality.KVM has been updated to support control-flow enforcement technology (CET) on both Intel and AMD processors. Additional enhancements include SEV-SNP CipherText Hiding for x86 hosts and preserved vmalloc allocations through Kexec HandOver (KHO). Security updates range from multi-LSM support within the audit subsystem to the ability to sign BPF programs. The TPM feature TPM2_TCG_HMAC is now disabled by default.
Hardware Enablement and Future Outlook for Linux Kernel
Linux 6.18 expands hardware coverage with new and updated drivers. These include an EDAC driver for AMD VersalNET memory controllers, which reports hardware issues from several IP blocks using IPC-style transport, and an EDAC driver for ADM Cortex-A72 cores to report L1 and L2 cache errors. Additional device-related improvements include a virtio SPI driver allowing SPI devices to operate within virtual machines, support for the DualSense controller’s audio jacks, extended HID handling for haptic touchpads, and enablement for Apple’s M2 Pro, M2 Max, and M2 Ultra SoCs.With Linux 6.18 finalized, attention shifts to Linux 6.19. The first release candidate is scheduled for December 14, and the full release is expected in early February 2026. Because 6.18 is the final kernel release of the year, it stands as a strong contender to become the next LTS Kernel Series, though official confirmation awaits input from long-standing maintainer Greg Kroah-Hartman.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious warning after confirming that a critical flaw in the Linux Kernel, tracked as CVE-2024-1086, is being actively exploited in ongoing ransomware attacks targeting Linux systems worldwide.CVE-2024-1086 is a use-after-free vulnerability in the Linux Kernel’s netfilter: nf_tables component. The flaw arises when the nft_verdict_init() function improperly allows positive values to be used as a drop error within the hook verdict, which can lead to a double-free scenario in nf_hook_slow() when NF_DROP is mishandled.Although the faulty code originated from a commit introduced back in February 2014, the vulnerability was not officially disclosed until January 31, 2024. A patch to address it was submitted in January 2024.
Scope and Impact of CVE-2024-1086
The Linux Kernel flaw affects versions from 3.15 up to 6.8-rc1, meaning a wide range of major Linux distributions are vulnerable. Impacted systems include:Ubuntu: 18.04, 20.04, 22.04, and 23.10Red Hat Enterprise Linux (RHEL):
RHEL 7 – 3.10.0-1062.4.1.el7
RHEL 8 – 4.18.0-147.el8
RHEL 9 – 5.14.0-362.24.2.el9_3
Debian: kernel version 6.1.76-1Exploitation of CVE-2024-1086 allows attackers with local access to escalate their privileges to root level, granting full control of compromised systems. With root access, threat actors can disable security protections, install malware, move laterally within a network, steal data, and deploy ransomware payloads.
Ransomware Connection and Agency Action
CISA has now confirmed that CVE-2024-1086 is being used in ransomware attacks. The vulnerability was initially added to the agency’s Known Exploited Vulnerabilities (KEV) catalog on May 30, 2024, with federal agencies ordered to apply security patches or mitigations no later than June 20, 2024.In its official statement, CISA described this Linux Kernel flaw as a “frequent attack vector for malicious cyber actors,” emphasizing the significant risks it poses to government and enterprise networks alike. Agencies and organizations are instructed to follow vendor guidance for patching or discontinue use of affected products if no fixes are available.
Exploit Availability and Threat Landscape
In late March 2024, a security researcher using the alias Notselwyn released a detailed write-up and a proof-of-concept (PoC) exploit for CVE-2024-1086. The PoC demonstrated how attackers could achieve local privilege escalation on Linux kernel versions ranging from 5.14 to 6.6.According to security researchers, the exploit has proven to be highly reliable, showing success rates exceeding 99% in some tests. The public availability of this exploit code, combined with confirmed use in ransomware operations, significantly increases the risk of widespread attacks.
Mitigation and Recommended Actions
System administrators are advised to verify immediately whether their Linux installations are affected. Running the command uname -r will reveal the kernel version in use. If the version falls between 3.15 and 6.8-rc1, the system may still be vulnerable.To protect against exploitation:
Update to Linux Kernel 6.8-rc2 or later, or apply vendor-provided patches.
Blocklist the nf_tables module if it is not required.
Restrict access to user namespaces to minimize the attack surface.
Consider loading the Linux Kernel Runtime Guard (LKRG) module to add runtime protection, though administrators should be aware that it may affect system stability.
Login
