CVE-2024-1085
Use-after-free in Linux kernel's netfilter: nf_tables component
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_setelem_catchall_deactivate() function checks whether the catch-all set element is active in the current generation instead of the next generation before freeing it, but only flags it inactive in the next generation, making it possible to free the element multiple times, leading to a double free vulnerability. We recommend upgrading past commit b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7.
Una vulnerabilidad de use after free en el componente netfilter: nf_tables del kernel de Linux puede explotarse para lograr una escalada de privilegios local. La función nft_setelem_catchall_deactivate() comprueba si el elemento del conjunto general está activo en la generación actual en lugar de en la siguiente generación antes de liberarlo, pero solo lo marca como inactivo en la siguiente generación, lo que permite liberar el elemento varias veces, lo que lleva a una vulnerabilidad double free. Recomendamos actualizar la confirmación anterior b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7.
A double-free flaw was found in how the Linux kernel's NetFilter system marks whether a catch-all element is enabled. A local user could use this flaw to crash the system.
Lonial Con discovered that the netfilter subsystem in the Linux kernel contained a memory leak when handling certain element flush operations. A local attacker could use this to expose sensitive information (kernel memory). Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did not properly handle inactive elements in its PIPAPO data structure, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-01-30 CVE Reserved
- 2024-01-31 CVE Published
- 2025-05-29 CVE Updated
- 2025-06-14 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-416: Use After Free
CAPEC
- CAPEC-233: Privilege Escalation
References (4)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-1085 | 2024-04-30 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2262127 | 2024-04-30 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.13 < 5.15.148 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 5.15.148" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.16 < 6.1.75 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16 < 6.1.75" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.2 < 6.6.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.6.14" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.7 < 6.7.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.7.2" | - |
Affected
| ||||||