Linux kernel CVE disclosures reached 5,530 in 2025, marking a 28% increase over the previous year’s total and representing an 8-9 daily average that challenges security teams worldwide. The platform now powers 49.2% of global cloud workloads and 100% of the world’s top 500 supercomputers, creating an attack surface that threat actors actively exploit through webshells, ransomware, and brute-force campaigns.
This analysis examines verified data from CISA’s Known Exploited Vulnerabilities catalog, Trend Micro’s threat landscape reports, and Elastic Security Labs to document the current state of Linux security in 2026.
Linux Malware and Vulnerability Key Statistics
- Linux kernel CVEs increased 1,117% in 2024 to 3,529 vulnerabilities, with 5,530 recorded in 2025 year-to-date as of early January.
- Webshells account for 49.6% of all Linux malware exploits, targeting web servers as primary attack vectors.
- Linux ransomware attacks increased 62% between 2022 and 2023, with ESXi servers facing average ransom demands of $5 million.
- Brute-force attacks represent 89% of all endpoint behaviors on Linux systems, focusing on SSH endpoints in public-facing infrastructure.
- Linux accounts for only 1.3% of global malware detections in 2025 despite powering 90% of public cloud workloads.
Linux Kernel CVE Growth Patterns
The Linux kernel team became a CVE Numbering Authority in early 2024, transforming vulnerability disclosure transparency. This change produced documentation that revealed security issues previously unreported.
The first 16 days of 2025 witnessed 134 new kernel CVEs, exceeding total annual figures from both 2020 and 2021. Security teams now manage approximately 8-9 new kernel vulnerabilities daily.
| Year | Total CVEs | Year-over-Year Change |
|---|---|---|
| 2020 | 120 | Baseline |
| 2021 | 162 | +35% |
| 2022 | 309 | +91% |
| 2023 | 290 | -6% |
| 2024 | 3,529 | +1,117% |
| 2025 (YTD) | 5,530 | +28% vs 2024 |
This exponential growth reflects improved transparency rather than declining code quality. The kernel team now assigns CVEs to previously undocumented bugs, creating comprehensive vulnerability records.
Linux Malware Distribution by Attack Type
Trend Micro’s analysis identified distinct patterns in malware targeting Linux environments. Web-facing applications serve as primary entry points for attackers.
WordPress vulnerabilities remain the most exploited entry point, followed by Joomla, Apache, and cPanel. The dominance of webshell attacks correlates with Linux controlling 57% of identifiable web server operating systems globally.
Trojans represent 29.4% of Linux exploits and focus on gaining system access. Backdoors account for 12.3% of attacks, providing persistent access channels. Cryptocurrency miners comprise 8.7% of malware, targeting computing resources for unauthorized mining operations.
Linux Ransomware Attack Trends
Ransomware groups expanded Linux capabilities substantially, with VMware ESXi environments becoming high-priority targets. These environments host multiple virtual machines, making them valuable attack vectors.
The number of directly exposed ESXi servers decreased 90% from 85,000 in 2023 to 8,900 in 2024, demonstrating improved security awareness. However, Q4 2024 recorded 1,827 ransomware incidents, the highest quarterly figure on record.
Play ransomware affected over 350 organizations in 2024. Akira ransomware extorted $42 million as of April 2024. LockBit, Play, Akira, and the emerging Kraken continue developing Linux-specific variants targeting virtualization infrastructure.
Linux Attack Pattern Analysis
Elastic’s 2024 Global Threat Report analyzed over 1 billion data points, revealing distinctive attack behaviors specific to Linux environments. The concentration of brute-force authentication attempts reflects Linux’s role in public-facing infrastructure.
Linux accounts for 3.2% of total endpoint behaviors in Elastic’s telemetry. Within that segment, 89% of behaviors involve brute-force attacks. SSH endpoints remain continuously targeted by automated attack tools.
Two-factor authentication is enabled on 72.1% of Linux-based servers, particularly SSH endpoints. This adoption rate indicates growing security awareness among administrators managing Linux security configurations.
Linux Infrastructure Market Dominance
Linux’s market position in enterprise computing creates a proportionally expanding attack surface. The platform dominates containerization environments, with Docker maintaining 87.67% market share across 108,000+ companies.
| Infrastructure Category | Linux Market Share |
|---|---|
| Global Cloud Workloads | 49.2% |
| Public Cloud Workloads | 90% |
| TOP500 Supercomputers | 100% |
| Server Operating Systems | 44.8% |
| Kubernetes Clusters | 78% |
| Docker Containers | 75% |
| Web Servers | 57% |
Container security concerns delayed deployments for two-thirds of organizations. Security incidents resulted in revenue or customer loss for 46% of companies, highlighting financial implications of inadequate system security analysis.
Linux Malware Detection Rates
Linux maintains stronger security metrics compared to other operating systems. Windows accounts for approximately 87% of global malware detections in 2025, while macOS represents 13%.
Linux malware detections account for only 1.3% of all operating system-targeted malware despite the platform powering critical infrastructure worldwide. This metric requires context, as attacks on Linux servers through SSH brute force, webshells, and cryptominers increased significantly.
Rootkit detections decreased 11.6% year-over-year, attributed to hardened kernels and improved anomaly detection tools. Security teams now leverage advanced monitoring capabilities to identify suspicious activities.
Critical Linux Vulnerabilities Actively Exploited
CISA’s Known Exploited Vulnerabilities catalog documents Linux kernel flaws actively weaponized by threat actors. Several vulnerabilities received KEV additions throughout 2024-2025.
| CVE ID | Vulnerability Type | CVSS Score |
|---|---|---|
| CVE-2024-1086 | Use-after-free (netfilter) | 7.8 |
| CVE-2024-53104 | Out-of-bounds write (UVC driver) | 7.8 |
| CVE-2024-53150 | Out-of-bounds read (ALSA audio) | 7.1-7.8 |
| CVE-2024-53197 | ALSA audio vulnerability | High |
| CVE-2024-50302 | HID driver vulnerability | High |
CVE-2024-1086, a netfilter use-after-free vulnerability, had public exploit code available since March 2024. CISA confirmed in October 2025 that ransomware campaigns actively used this vulnerability.
Exploited vulnerabilities remain the most common root cause of ransomware attacks, involved in 32% of incidents according to Sophos’s State of Ransomware 2025 report. Organizations must prioritize patch management processes to address these threats.
Linux Malware File Format Analysis
Cloud Storage Security’s threat laboratory examined file formats used to deliver malware targeting Linux systems. ELF files, the native executable format for Linux systems including servers and IoT devices, comprised 44% of malware cases in January 2025.
Top malware families detected included RustyStealer, a data harvesting trojan, and Mirai, an IoT botnet. The continued prevalence of Mirai aligns with projections of 30+ billion IoT devices connected by end of 2025.
FAQ
How many Linux kernel CVEs were discovered in 2025?
Linux kernel CVEs reached 5,530 in 2025 year-to-date as of early January, representing a 28% increase over 2024’s total of 3,529 vulnerabilities. Security teams now face an average of 8-9 new kernel CVEs daily.
What percentage of Linux malware involves webshells?
Webshells account for 49.6% of all Linux malware exploits according to Trend Micro’s analysis. These attacks primarily target web servers, with WordPress vulnerabilities serving as the most frequently exploited entry point.
How much do ransomware groups demand from ESXi servers?
Average ransom demands for VMware ESXi servers reach $5 million. ESXi environments became high-priority targets because they host multiple virtual machines, allowing attackers to encrypt entire virtualization infrastructures simultaneously.
What percentage of Linux endpoint attacks are brute-force attempts?
Brute-force attacks represent 89% of all endpoint behaviors on Linux systems according to Elastic’s 2024 Global Threat Report. These attacks primarily target SSH endpoints in public-facing infrastructure that remain continuously exposed.
How does Linux malware detection compare to other operating systems?
Linux accounts for only 1.3% of global malware detections in 2025, while Windows represents 87% and macOS 13%. However, this low detection rate doesn’t reflect reduced targeting, as Linux servers face increased SSH brute force and webshell attacks.
