CVE-2024-1086
Use-after-free in Linux kernel's netfilter: nf_tables component
In short
A flaw in Linux kernel's netfilter allows a local attacker to cause a double free in memory, leading to privilege escalation. The vulnerability occurs when incorrect drop error values are processed, potentially crashing the system or gaining admin-level access.
Technical detail
Use-after-free vulnerability in nf_tables component where nft_verdict_init() improperly validates positive drop error values in hook verdicts, causing nf_hook_slow() to trigger double-free conditions when NF_DROP is issued with error codes resembling NF_ACCEPT. Local attacker with unprivileged user access can exploit this for privilege escalation.
Summary generated and translated by AI from the official description.
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.
The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.
We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
Linux · Kernelpublic PoCs found — 14
githubgithub.com/Notselwyn/CVE-2024-1086★ 2448githubgithub.com/LLfam/CVE-2024-1086★ 21githubgithub.com/Alicey0719/docker-POC_CVE-2024-1086★ 3githubgithub.com/kevcooper/CVE-2024-1086-checker★ 2githubgithub.com/sandesh9978/cve-2024-1086-lpe★ 1githubgithub.com/ndt2111200203/CVE-2024-1086★ 0githubgithub.com/vettrivel007/CVE-2024-1086★ 0githubgithub.com/ClaraSto/CVE-2024-1086_Ausarbeitung★ 0githubgithub.com/b1nhack/CVE-2024-1086★ 0githubgithub.com/Luisbuilds-data/cve-2024-1086-writeup★ 0githubgithub.com/xzx482/CVE-2024-1086★ 0githubgithub.com/CCIEVoice2009/CVE-2024-1086★ 0githubgithub.com/karim4353/CVE-2024-1086-Exploit★ 0githubgithub.com/feely666/CVE-2024-1086★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/Notselwyn/CVE-2024-1086https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660https://kernel.dance/f342de4e2f33e0e39165d8639387aa6c19dff660https://lists.debian.org/debian-lts-announce/2024/06/msg00016.htmlhttps://lists.debian.org/debian-lts-announce/2024/06/msg00020.htmlhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7LSPIOMIJYTLZB6QKPQVVAYSUETUWKPF/https://news.ycombinator.com/item?id=39828424https://pwning.tech/nftables/https://security.netapp.com/advisory/ntap-20240614-0009/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-1086http://www.openwall.com/lists/oss-security/2024/04/10/22http://www.openwall.com/lists/oss-security/2024/04/10/23