linux kernels 2025 complete analysis

Publié par Cindy sur 14 Avril 2026, 06:35am

Catégories : #dm-pcache, #Bcachefs, #Apple M2, #AI kernel

Complete analysis of 2025 Linux kernels: new features from Linux 6.14 to 6.19, critical CVEs (nf_tables, ksmbd 0-day AI, Rust Binder LTS 6.18), Bcachefs removal, dm-pcache, Apple Silicon M2. Sourced security recommendations. SafeITExperts.

Linux Kernels 2025: Complete Analysis 6.14 → 6.19, CVEs and Security | SafeITExperts

COMPLETE ANALYSIS — MARCH 2026

Linux Kernels 2025:
Features, Security & Recommendations

March 9, 2026 Cindy — SafeITExperts ~12 min 🐧 Linux · Security · Open Source

🐧 2025 Overview

✏️ Corrections made to the initial version of this article

🔴 dm-CACHE → dm-pcache — major factual error corrected
🟡 AMD SmartMux — requires a hardware MUX on the motherboard, not universal
➕ Linux 6.15 and 6.16 added (missing in v1)
🗑️ Removal of Bcachefs documented (critical omission)
🔐 Entirely new security section — 6 documented and sourced CVEs

2025 was a pivotal year for the Linux kernel: accelerated adoption of Rust, unprecedented support for Apple Silicon M2 Pro/Max/Ultra, and — a historic milestone — the first kernel 0-day discovered by an AI. In parallel: 8 to 9 new kernel CVEs published each day.

Server room under cyberattack - illustration of Linux kernel security in 2025 — 🖥️ **Illustration:** Server room under cyberattack — over 130 kernel CVEs published in January 2025, including critical flaws exploited by ransomware.

6 Major releases

8–9 Kernel CVEs / day

6.18 2025 LTS Version

⚙️ Versions 6.14 → 6.19

Linux 6.14 Standard 📅 March 24, 2025

AMD XDNA: first official Ryzen AI NPU driver
NTSYNC: Windows gaming (Wine/Proton) improved
Intel Panther Lake & Clearwater Forest: preliminary thermal support
4,096 CPU cores: doubled limit — HPC environments

Linux 6.15 Standard 📅 May 25, 2025

NOVA (Rust, NVIDIA Turing+): first entirely Rust GPU driver — historic
Zero-copy io_uring: network without copy — reduced CPU load
Btrfs zstd real-time: granular compression from -1 to -15
AMD INVLPGB: broadcast TLB invalidation multi-core

Linux 6.16 Standard 📅 July 29, 2025

Intel APX: general-purpose registers ×2 + extended vector instructions
ext4 bigalloc + large folio: +33% performance on large files
XFS atomic writes: guaranteed data consistency after crash
Bcachefs: final Torvalds warning before removal

Linux 6.17 Standard 📅 Sep. 28, 2025

AMD SmartMux: GPU switching ⚠️ hardware MUX required
Intel Core Ultra Series 3: Arrow Lake & Lunar Lake
Lenovo Legion Go / Go S: full support
NVMe zeros without I/O: secure erase without disk access
🗑️ Bcachefs removed from mainline → DKMS or Btrfs/ext4

Linux 6.18 ⭐ LTS — supported until Dec. 2027 📅 Nov. 30, 2025

🍎 Platforms

Apple M2 Pro / Max / Ultra: Asahi Linux Device Trees
Snapdragon X1: Dell, HP OmniBook, Lenovo ThinkBook
MediaTek Dimensity 9400 & Kompanio Ultra
RISC-V: SiFive HiFive Premier P550

🤖 AI & GPU

Tyr Driver (Rust): ARM Mali CSF — future Panthor base
NVIDIA Nouveau: GSP firmware by default (Turing & Ampere)
Secure AVIC / AMD SEV-SNP: reinforced encrypted VMs

💾 Storage & network

dm-pcache: CXL persistent memory as cache
v1 Correction v1 mentioned dm-CACHE — incorrect. The new feature is dm-pcache.
Sheaves (SLUB): accelerated memory allocator
UDP +50%: high-load streaming & online gaming

Linux 6.19 → 7.0 Standard 📅 Feb. 8, 2026

Released February 8, 2026. Linus Torvalds announced the next version will be Linux 7.0 — a cosmetic decision, no architectural break.

ℹ️ Practical advice

Linux 6.18 LTS remains the reference until December 2027. Linux 6.19 and 7.0 are for advanced users.

🔐 Security — Major 2025 CVEs

📊 Alarming Context — 134 CVEs in 16 days

January 2025: 134 new kernel CVEs in 16 days. By end of October: 7 in the KEV CISA catalog. Ransomware groups RansomHub, Akira, and Qilin compromised over 700 organizations across 62 countries.

CVE-2024-1086 🔴 Critical

« Flipping Pages » — nf_tables

Type: Use-After-Free
Impact: local privilege escalation → root
Status: KEV CISA Oct. 2025 — active exploitation by RansomHub & Akira

CVE-2021-22555 🔴 Critical

Heap OOB nftables — nft_set_elem_init()

Type: heap out-of-bounds write via forged netlink attributes
Impact: arbitrary code execution as root
Status: KEV CISA October 6, 2025

CVE-2024-50264 🟠 High

POSIX timers race condition

Type: TOCTOU — incorrect memory freeing under concurrent access
Surface: very broad — POSIX timers used by processes, containers, daemons
Status: KEV CISA Sep. 2025 — exploited on Android stacks

CVE-2025-37899 ⚫ AI 0-day ksmbd SMB3

🤖 Historic Event — First kernel 0-day discovered by AI

Sean Heelan submitted 12,000 lines of ksmbd to OpenAI's o3 LLM. The AI identified a UAF in the SMB2 LOGOFF handler.

Impact: remotely exploitable memory corruption on any server exposing SMB3 via ksmbd
Action: modprobe -r ksmbd if unused + patch

CVE-2025-68260 🔴 Critical

Rust Binder (Linux 6.18)

⚠️ Directly concerns the recommended LTS 6.18

Type: Race condition in death_list → memory corruption
Action: update to the latest patched 6.18.x

vsock / CVE-2023-0386 🟠 High

OverlayFS & vsock

vsock: UAF vsock — from a VM, reach root on the host
OverlayFS: privilege escalation — KEV CISA 2025 — critical for Docker/Podman
Trend: attacks targeting isolation boundaries

📊 Summary Tables

🗓️ 2025 Versions & Features

Version	Date	Key Features	Target Audience
Linux 6.14	March 2025	AMD XDNA (Ryzen AI NPU) NTSYNC (Proton gaming) 4,096 CPU cores	Gamers, Ryzen AI
Linux 6.15	May 25, 2025	NOVA Rust (NVIDIA Turing) Zero-copy io_uring Btrfs zstd real-time	Dev, network perf.
Linux 6.16	July 29, 2025	Intel APX (registers ×2) ext4 bigalloc (+33%) XFS atomic writes	Servers, ext4/XFS
Linux 6.17	Sep. 28, 2025	AMD SmartMux (hw MUX) Intel Core Ultra S3 Lenovo Legion Go/Go S	Portable gamers
Linux 6.18 ⭐ LTS	Nov. 30, 2025	Apple M2 Pro/Max/Ultra dm-pcache (CXL) Tyr Rust Driver (ARM) UDP +50% · Sheaves SLUB Snapdragon X1 laptops	✅ All — LTS Dec. 2027
Linux 6.19	Feb. 8, 2026	Linux 7.0 precursor	Advanced users

🔐 Major 2025 CVEs

CVE	Component	Severity	Immediate Action
CVE-2024-1086	nf_tables	🔴 Critical	Patch — active in ransomware
CVE-2021-22555	nftables heap	🔴 Critical	Urgent update
CVE-2024-50264	POSIX timers	🟠 High	KEV CISA — patch
CVE-2025-37899	ksmbd SMB3	⚫ AI 0-day	Disable ksmbd + patch
CVE-2025-68260	Rust Binder (6.18)	🔴 Critical	Update → 6.18.x
vsock / CVE-2023-0386	vsock, OverlayFS	🟠 High	Disable vsock + audit Docker

✅ SafeITExperts Recommendations

⭐ Primary Recommendation: Linux 6.18 LTS

For servers, workstations, enterprises, and Apple Silicon users: Linux 6.18 LTS until December 2027. Ensure you are on a patched 6.18.x version (CVE-2025-68260).

🔍Check your version: uname -r — confirm a recent 6.18.x version with the CVE-2025-68260 patch applied
🗑️Bcachefs: switch to the DKMS module or migrate to Btrfs / ext4 as soon as possible
🔌ksmbd: disable if unused — modprobe -r ksmbd
🔒vsock: disable outside hypervisors — modprobe -r vsock
⚡Patch cycles < 2 weeks for critical CVEs — exploits arrive quickly after publication
🐳Audit containers: 2025 attacks target Docker/Podman isolation boundaries (OverlayFS)
📧CVE monitoring: subscribe to kernel-security bulletins from your distribution (Ubuntu, Debian, RHEL…)

Action	Security Impact	Complexity
Switch to LTS 6.18	Very High	Low
Auto kernel updates	High (0-day)	Low
Migrate Bcachefs → Btrfs	High (stability)	Medium
Disable unused modules	Medium (surface)	Low
Audit container dependencies	Medium (isolation)	High

📖 Technical Glossary

dm-pcache

Device Mapper target (Linux 6.18) using CXL/NVDIMM persistent memory as ultra-fast cache. Distinct from dm-cache (traditional SSD cache, existing for years).

NOVA Driver (Rust)

First experimental GPU driver entirely in Rust, targeting NVIDIA Turing+ GPUs (Linux 6.15). Basis for future Nouveau replacement (Collabora, Google, ARM).

Bcachefs

Linux filesystem merged in 6.7, removed from mainline in 6.17/6.18 after Torvalds warnings. Alternative: DKMS module or migration to Btrfs/ext4.

Use-After-Free (UAF)

Vulnerability where a memory area is used after being freed. Allows writing arbitrary data into the kernel to gain root privileges.

KEV CISA

Known Exploited Vulnerabilities catalog: official list of actively exploited flaws published by the US CISA agency. Absolute priority for patching.

SLUB Sheaves

Enhancement to the SLUB memory allocator (Linux 6.18): grouping similar objects to reduce fragmentation and accelerate kernel allocations.

AMD XDNA

AMD NPU (Neural Processing Unit) architecture integrated into Ryzen AI. On-device AI inference without dedicated GPU — first official Linux 6.14 driver.

Rust Binder (CVE-2025-68260)

Rust rewrite of the Android Binder IPC driver, merged in Linux 6.18. CVE-2025-68260 is a race condition introduced in this new code.

Apple Silicon M2

Support for Apple M2 Pro/Max/Ultra processors in Linux 6.18 LTS via Asahi Linux Device Trees. Includes GPU, WiFi, keyboard, and power management.

🔗 Verified Sources

Source	Organization	Contribution
kernel.org	Linux Foundation	Official announcements 6.14–6.19
phoronix.com	Phoronix	Technical coverage of each RC
lwn.net	Linux Weekly News	Analysis of Bcachefs, dm-pcache, Rust Binder
CISA KEV	CISA (US Gov)	CVE-2024-1086, CVE-2021-22555, CVE-2024-50264
NVD NIST	NIST	CVSS scores & official descriptions
linuxsecurity.com	Linux Security	CVE-2025-68260 (Rust Binder 6.18)
SemiEngineering / Georgia Tech	Academic Research	CVE-2025-37899 — ksmbd 0-day via o3 OpenAI
BleepingComputer	BleepingComputer	RansomHub/Akira & active CVE-2024-1086
asahilinux.org	Asahi Linux Project	Apple M2 Pro/Max/Ultra Device Trees

📚 SafeITExperts Reading

🛡️ Linux, Windows, macOS Security and Privacy

Complete guide to preventive cybersecurity measures for Linux, Windows, and macOS. Encryption, firewall, updates, privacy: protect yourself effectively.

Security

🔑 Secure Passwords: 10 Unbreakable ANSSI Secrets

Secure your passwords on Windows, Mac, and Linux: managers, 2FA, long phrases, and anti-hacking tips. Protect yourself easily!

ANSSI

💻 Stolen Computer: Security Guide

IT security is a clear reality: a stolen device can become an open door to your data and digital identity. Analysis of 9 risk levels and advanced protection methodology.

Protection

🌐 Cybersecurity and Digital Privacy: Complete Guide

In a hyperconnected world, digital security is no longer a luxury but an absolute necessity. Complete guide to protecting your privacy.

Privacy

About the Author

Cindy is a writer for SafeITExperts, a bilingual FR/EN blog dedicated to cybersecurity, Linux, digital sovereignty, and IT strategy. This article includes documented and sourced factual corrections.