CVE-2024-1086

Linux Kernel Use-After-Free Vulnerability

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

Una vulnerabilidad de use after free en el componente netfilter: nf_tables del kernel de Linux puede explotarse para lograr una escalada de privilegios local. La función nft_verdict_init() permite valores positivos como error de eliminación dentro del veredicto del gancho y, por lo tanto, la función nf_hook_slow() puede causar una vulnerabilidad double free cuando NF_DROP se emite con un error de eliminación similar a NF_ACCEPT. Recomendamos actualizar después del compromiso f342de4e2f33e0e39165d8639387aa6c19dff660.

A flaw was found in the Netfilter subsystem in the Linux kernel. This issue occurs in the nft_verdict_init() function, allowing positive values as a drop error within the hook verdict, therefore, the nf_hook_slow() function can cause a double-free vulnerability when NF_DROP is issued with a drop error that resembles NF_ACCEPT. The nf_tables component can be exploited to achieve local privilege escalation.

It was discovered that the Layer 2 Tunneling Protocol implementation in the Linux kernel contained a race condition when releasing PPPoL2TP sockets in certain conditions, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the ext4 file system implementation in the Linux kernel did not properly handle block device modification while it is mounted. A privileged attacker could use this to cause a denial of service or possibly expose sensitive information.

Linux kernel contains a use-after-free vulnerability in the netfilter: nf_tables component that allows an attacker to achieve local privilege escalation.

*Credits: Notselwyn

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-01-30 CVE Reserved
2024-01-31 CVE Published
2024-04-01 First Exploit
2024-05-30 Exploited in Wild
2024-06-20 KEV Due Date
2025-02-13 CVE Updated
2025-03-25 EPSS Updated

CWE

CWE-416: Use After Free

CAPEC

CAPEC-233: Privilege Escalation

References (25)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/04/15/2	Mailing List
https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7LSPIOMIJYTLZB6QKPQVVAYSUETUWKPF	Mailing List
https://news.ycombinator.com/item?id=39828424	Issue Tracking
https://security.netapp.com/advisory/ntap-20240614-0009

URL	Date	SRC
https://packetstorm.news/files/id/177862	2024-04-01
https://github.com/Notselwyn/CVE-2024-1086	2025-02-13
https://github.com/feely666/CVE-2024-1086	2024-06-10
https://github.com/CCIEVoice2009/CVE-2024-1086	2024-04-07
https://github.com/pl0xe/CVE-2024-1086	2024-08-20
https://github.com/xzx482/CVE-2024-1086	2024-04-07
https://github.com/kevcooper/CVE-2024-1086-checker	2024-06-10
https://github.com/matrixvk/CVE-2024-1086-aarch64	2024-10-21
https://github.com/Alicey0719/docker-POC_CVE-2024-1086	2024-06-18
https://github.com/LLfam/CVE-2024-1086	2024-12-19
http://www.openwall.com/lists/oss-security/2024/04/14/1	2025-02-13
http://www.openwall.com/lists/oss-security/2024/04/17/5	2025-02-13
https://pwning.tech/nftables	2025-02-13

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2024/04/10/22	2024-06-27
http://www.openwall.com/lists/oss-security/2024/04/10/23	2024-06-27
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660	2024-06-27
https://kernel.dance/f342de4e2f33e0e39165d8639387aa6c19dff660	2024-06-27

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-1086	2024-06-25
https://bugzilla.redhat.com/show_bug.cgi?id=2262126	2024-06-25

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.15 < 5.15.149 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.15 < 5.15.149"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.1.76 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.1.76"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.2 < 6.6.15 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.6.15"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7 < 6.7.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.7.3"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.8 Search vendor "Linux" for product "Linux Kernel" and version "6.8"		rc1		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				39 Search vendor "Fedoraproject" for product "Fedora" and version "39"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Ibm Z Systems Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems"				7.0_s390x Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" and version "7.0_s390x"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Power Big Endian Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian"				7.0_ppc64 Search vendor "Redhat" for product "Enterprise Linux For Power Big Endian" and version "7.0_ppc64"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Power Little Endian Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian"				7.0_ppc64le Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian" and version "7.0_ppc64le"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"		-		Affected