New zero-day flaw hits millions of Linux servers, also affects most Android devices

A new, previously undiscovered flaw that allows an attacker to escalate local user privileges to the highest “root” level is said to hit “tens of millions” of Linux PCs and servers.

Because some of the code is shared, the zero-day flaw also affects more than two-thirds of all Android devices.

Israeli security firm Perception Point disclosed the flaw in a blog post Tuesday, but it wasn’t immediately clear if the bug had been privately reported to Google, which develops the Android software.

Perception Point said in an email that it has released a proof-of-concept exploit following collaboration with a number of Linux distribution teams.

The flaw, said to date back to 2012, affects Linux kernel versions 3.8 and higher, which extends to devices running Android KitKat 4.4 and higher. The vulnerability is in the keyring facility, baked into the core of the Linux software. If exploited, an attacker would be able to execute code on the Linux kernel, and extract cached security data, which can include in some cases encryption and authentication keys.

The Israeli security firm said it had no evidence to suggest the flaw had been exploited in the wild.

A patch is expected to be released on January 19 for most Linux machines.

Red Hat has already patched its systems, according to a security advisory, with other distributions expected to follow up in the coming day.

It’s not thought that Google was aware of the bug before it was published Tuesday. but will likely be fixed as part of the company’s monthly security updates.

A Google spokesperson did not comment.

This post has been updated.