We list mitigations added in all Linux versions.
| Version (and date) | Mitigation | References |
|---|---|---|
| (optional patch) | grsecurity/PaX | 1 2 |
| Linux 2.4.21-rc1 | Exec-Shield | 3 |
| Linux 2.6.8 | Non-Executable Memory (NX) / DEP | 4 |
| Linux 2.6.12 | kernel.randomize_va_space. Address Space Layout Randomization (ASLR). | 5 |
| Linux 2.6.23 | (ineffective until 2019) kernel.mmap_min_addr. NULL page mitigation. Ineffective and easily bypassable (CVE-2019-9213) until 2019. | 6 7 8 |
| Linux 2.6.28 | kernel.kptr_restrict | 9 10 11 |
| Linux 2.6.37 | kernel.dmesg_restrict | 12 13 14 |
| Linux 3.0 + hardware needs support (>= Ivy Bridge architecture) | Supervisor Mode Execution Prevention (SMEP) for x86 / x86_64 architectures. | 15 16 17 18 |
| Linux 3.7 + hardware needs support | Supervisor Mode Access Prevention (SMAP) for x86 / x86_64 architectures. | 19 20 |
| Linux 3.7 + hardware needs support | PXN (Privileged Execute-Never). Effectively SMEP (Supervisor Mode Execution Prevention) for ARM architectures. | 21 22 23 |
| Linux 3.14 (supported, but not enabled by default until kernel 4.12) | Kernel ASLR (KASLR) | 24 25 |
| >= clan 3.7 | Control Flow Integrity (CFI) | 26 |
| Linux 4.0 (optional kernel module) | Linux Kernel Runtime Guard (LKRG). Loadable kernel module that performs runtime integrity checking. | 27 |
| Linux 4.3 + hardware needs support | PAN (Privileged Access Never). Effectively SMAP (Supervisor Mode Access Prevention) for ARM architectures. | 28 |
| Linux 4.13 | Compile-time and run-time protectino for finding overflows (CONFIG_FORTIFY_SOURCE) | 29 |
| Linux 4.13 | Forced NULL-prefixed stack canary on 64-bit | 29 |
| Linux 4.13 | randomized structure layout (manual mode only) (randstruct gcc plugin) | 29 |
| Linux 4.13 | lower ELF_ET_DYN_BASE (32-bit only) | 29 |
| Linux 4.14 (optional patch) | Kernel Address Isolation to have Side-channels Efficiently Removed (KAISER) | 30 31 |
| Linux 4.15 | Kernel Page Table Isolation (PTI) (formerly KAISER) | 32 33 34 35 |
| Linux 4.4.144 | Spectre v1 fix | 36 37 38 |
| Linux 4.18 | allocation overflow detection helpers | 39 40 |
| Linux 4.18 | Removing open-coded multiplication from memory allocation arguments | 41 40 |
| Linux 5.1 | CR4 Pinning. Prevents modification of sensitive CR4 bits, preventing SMEP/SMAP bypass via native_write_cr4. | 42 43 |
| Linux 5.3 | Heap auto initialization | 44 45 |
| Linux 5.4 | PAC on arm64: return address signing | 46 47 |
| TBC | RFC for per-function level granularity KASLR | 48 49 |
| Linux ? | kernel stack base offset randomization | 50 51 |