Undisclosed 9.9-Rated Linux Vulnerability Could Give Attackers Full Remote Access

Security researcher Simone Margaritelli has sounded the alarm on what could be one of the most dangerous vulnerabilities in Linux history. He claims that this flaw, which could impact all GNU/Linux systems (and others), carries a severity rating of 9.9 out of 10. If the exploit is as bad as it sounds, this is something every Linux user and developer needs to pay close attention to.

How Vulnerabilities Are Usually Handled

Typically, when a security flaw is discovered, the process follows a well-defined path: researchers disclose the vulnerability to the affected parties (developers or vendors), who then work on patching the issue. In an ideal situation, these patches are delivered promptly to protect users. Unfortunately, this doesn’t always happen.

Margaritelli says the developers responsible for fixing this flaw aren’t taking him seriously. He discovered a remote code execution vulnerability affecting all GNU/Linux systems and reported it over three weeks ago, but according to him, progress on fixing the issue has been slow.

What’s the Issue with this particular Linux vulnerability?

Margaritelli hasn’t publicly shared full details of the vulnerability yet, but he plans to do so in a couple of weeks. Meanwhile, Red Hat, Canonical, and other companies have confirmed the severity of the vulnerability, which suggests the flaw is indeed significant. Still, Margaritelli claims that developers are downplaying the potential impact of this vulnerability and dismissing his findings.

“If your software has been running on everything for the last 20 years, you have a freaking responsibility to own and fix your bugs instead of using your energies to explain to the poor bastard that reported them how wrong he is,” he said publicly, expressing frustration at the lack of urgency from the developers.

Is This Really as Bad as It Sounds?

The security community is divided on this. Some users on X (formerly Twitter) and other platforms are skeptical, pointing out that Margaritelli has yet to provide substantial proof. The only evidence so far is a screenshot of the potential 9.9 score. That said, the list of vendors involved includes major names like Canonical, Red Hat, and Dell, as well as FreeBSD and Apple, suggesting that this vulnerability may be far-reaching.

Margaritelli also shared that CERT has assigned the vulnerability to several vendors, including large tech companies, which is an important indicator of its scope and potential severity.

The Clock Is Ticking

Full disclosure of the vulnerability is set for Oct. 6, meaning that time is running out to address the issue before the details are made public. Once this happens, attackers could exploit the vulnerability, putting millions of systems at risk.