CVE-2024-1086

Overview

CVE-2024-1086 is a use-after-free vulnerability in the Linux kernel's nf_tables component — the backend for the nftables firewall framework — that allows any unprivileged local user to escalate to root. Discovered and publicly exploited by security researcher notselwyn, the exploit achieves a ~99.4% success rate on affected Ubuntu 22.04 systems and works across a broad range of kernel versions. CISA confirmed ransomware operators are actively using the exploit to escalate privileges after initial access.

What Is nf_tables?

nf_tables is the kernel component that implements nftables, the modern replacement for iptables as Linux's primary packet filtering and firewall framework. It is present in all Linux kernels from version 3.13 onward and is used by virtually every Linux distribution for firewall management, container networking (Docker, Kubernetes), and network address translation. Because nf_tables table manipulation can be performed inside a user namespace, unprivileged users can reach the vulnerable code path without root access.

Affected Versions

Affected distributions (at time of active exploitation): Ubuntu 22.04 LTS (kernel 5.15), Ubuntu 23.10 (kernel 6.5), Debian 12 (kernel 6.1), and other distributions shipping kernels in the 5.14–6.6 range. Ubuntu 20.04 (kernel 5.4) and RHEL 8/9 with restricted user namespaces have reduced exposure.

Technical Details

Root Cause: Use-After-Free in Verdict Handling

The vulnerability is in the nft_verdict_init() function in net/netfilter/nf_tables_api.c. When an nf_tables rule uses a QUEUE or DROP verdict targeting another chain, it holds a reference to that chain object. The flaw allows a carefully crafted sequence of table operations to free the chain object while a verdict structure still holds a pointer to it — a classic use-after-free.

The freed chain memory can then be reclaimed with attacker-controlled data. When the kernel later dereferences the stale pointer, it reads and executes attacker-controlled function pointers, permitting arbitrary code execution in kernel context.

Exploitation Path

notselwyn's exploit uses the UAF to corrupt kernel memory via the following chain:

1. Trigger the UAF by creating an nf_tables chain that references itself in a way that causes a double-free on cleanup.
2. Reclaim the freed memory using a carefully timed heap spray — replacing the freed chain structure with attacker-controlled bytes containing a fake function pointer table.
3. Trigger the corrupted function pointer by invoking a verdict that calls through the now-corrupted chain object.
4. Achieve kernel RIP control, then use a ret2usr or kernel ROP chain to overwrite the calling process's credentials to uid=0.

The exploit uses user_namespaces to reach the vulnerable code path without root privileges. Disabling user namespaces (sysctl kernel.unprivileged_userfaultfd=0 and sysctl user.max_user_namespaces=0) eliminates the attack surface.

Attack Characteristics

Ransomware Context

CISA's KEV entry explicitly notes ransomware use, making CVE-2024-1086 one of a small number of Linux kernel LPEs with confirmed ransomware operator involvement. The typical use pattern is post-exploitation: an attacker achieves initial access via a web application vulnerability, SSH credential theft, or phishing, then uses CVE-2024-1086 to escalate from the web server's unprivileged service account to root, enabling ransomware deployment or persistent backdoor installation.

Discovery

notselwyn (a pseudonymous security researcher) independently discovered and developed a weaponized exploit, publishing a comprehensive writeup on March 31, 2024 — two months after the kernel fix was merged but before many distributions had patched deployed systems. The writeup included full source code for the exploit and detailed step-by-step exploitation methodology. The kernel fix (commit f342de4e) had already been merged in January, but the gap between kernel fix and distribution package updates left a large window of exposure.

Exploitation Context

• Patch gap: The kernel fix was available January 31, 2024; active exploitation was confirmed by CISA May 30, 2024 — a four-month window during which patched kernel packages had not reached many production systems
• Container environments: Kubernetes and Docker workloads running on affected kernels are exposed — a container escape followed by this LPE yields host root
• Ubuntu 22.04 LTS: The most widely deployed Ubuntu LTS at time of disclosure; enabled user namespaces by default, directly exposing the attack surface
• RHEL/CentOS mitigation: Red Hat's default user.max_user_namespaces=0 policy in RHEL 8 and 9 blocks the attack path without patching

Remediation

Recommended Actions

1. Update the kernel to Linux 6.6.15, 6.7.3, or any later release. Apply your distribution's security errata. Verify with uname -r.

2. Apply distribution patches:

   • Ubuntu: apt update && apt upgrade linux-image-generic
   • Debian: apt update && apt upgrade linux-image-amd64
   • RHEL 9: Check for kernel errata via yum update kernel

3. Immediate mitigation — disable unprivileged user namespaces (blocks the attack path on unpatched systems):

   sysctl -w user.max_user_namespaces=0
   

   Persist in /etc/sysctl.d/99-namespace-harden.conf. Note: this breaks rootless containers (Docker rootless, Podman) — evaluate against your workload.

4. Harden the nf_tables attack surface — if nftables is not required on a host, restrict its access:

   sysctl -w kernel.unprivileged_bpf_disabled=1
   

   See the Linux Kernel Hardening guide for a systematic approach to reducing kernel attack surface.

5. Monitor for exploitation indicators: The exploit creates nf_tables chains in rapid succession. Unusual nftables activity from non-root processes (visible in auditd logs with AUDIT_NETFILTER_CFG events) is a potential indicator.