Cyber Resilience

CVE-2024-1086

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 31 January 2024

Published
31 January 2024
Modified
27 October 2025
KEV Added
30 May 2024
Patch
10 April 2024
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8455 99.3th percentile
Risk Priority 86 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-1086 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

A use-after-free vulnerability in the Linux kernel's netfilter nf_tables component stems from nft_verdict_init() permitting positive values as drop errors within hook verdicts. This condition triggers a double free in nf_hook_slow() when NF_DROP is issued with an error that resembles NF_ACCEPT, affecting unpatched kernel versions and enabling local privilege escalation.

Local attackers with existing low-privileged access on a system can leverage the flaw to corrupt kernel memory and obtain full root privileges, resulting in complete control over confidentiality, integrity, and availability of the host.

Mitigation guidance centers on upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Multiple technical analyses of the issue and potential exploitation approaches have been shared in public security mailing lists.

The EPSS score sits at a current value of 0.8455 near its recorded peak of 0.8675.

EU & UK References

Vulnerability details

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double…

more

free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

CWE(s)
KEV Date Added
30 May 2024

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE-2024-1086 is a use-after-free vulnerability in the Linux kernel's nf_tables component exploitable for local privilege escalation to root, directly enabling T1068: Exploitation for Privilege Escalation.

Affected Assets

linux
linux kernel
6.8 · 3.15 — 5.15.149 · 6.1 — 6.1.76 · 6.2 — 6.6.15
fedoraproject
fedora
39
redhat
enterprise linux desktop
7.0
redhat
enterprise linux for ibm z systems
7.0_s390x
redhat
enterprise linux for power big endian
7.0_ppc64
redhat
enterprise linux for power little endian
7.0_ppc64le
redhat
enterprise linux server
7.0
redhat
enterprise linux workstation
7.0
debian
debian linux
10.0
netapp
a250 firmware
all versions
+2 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the kernel patch past commit f342de4e2f33e0e39165d8639387aa6c19dff660 that eliminates the nft_verdict_init double-free path.

prevent

Restricts the initial low-privileged local accounts that can reach the nf_tables interface and thereby reduces the chance of successful privilege escalation to full kernel control.

prevent

Limits activation of non-essential netfilter nf_tables functionality, shrinking the attack surface that the use-after-free flaw depends on.

References