CVE-2024-1086
Published: 31 January 2024
Summary
CVE-2024-1086 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Deeper analysis
A use-after-free vulnerability in the Linux kernel's netfilter nf_tables component stems from nft_verdict_init() permitting positive values as drop errors within hook verdicts. This condition triggers a double free in nf_hook_slow() when NF_DROP is issued with an error that resembles NF_ACCEPT, affecting unpatched kernel versions and enabling local privilege escalation.
Local attackers with existing low-privileged access on a system can leverage the flaw to corrupt kernel memory and obtain full root privileges, resulting in complete control over confidentiality, integrity, and availability of the host.
Mitigation guidance centers on upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Multiple technical analyses of the issue and potential exploitation approaches have been shared in public security mailing lists.
The EPSS score sits at a current value of 0.8455 near its recorded peak of 0.8675.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-16861
Vulnerability details
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double…
more
free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.
- CWE(s)
- KEV Date Added
- 30 May 2024
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-1086 is a use-after-free vulnerability in the Linux kernel's nf_tables component exploitable for local privilege escalation to root, directly enabling T1068: Exploitation for Privilege Escalation.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the kernel patch past commit f342de4e2f33e0e39165d8639387aa6c19dff660 that eliminates the nft_verdict_init double-free path.
Restricts the initial low-privileged local accounts that can reach the nf_tables interface and thereby reduces the chance of successful privilege escalation to full kernel control.
Limits activation of non-essential netfilter nf_tables functionality, shrinking the attack surface that the use-after-free flaw depends on.