The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added two vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, including a Linux kernel privilege elevation flaw.
The high-severity flaw tracked as
CVE-2024-1086 was first disclosed on January 31, 2024, as a use-after-free problem in the netfilter: nf_tables component, but was first introduced by a commit
in February 2014.
Netfilter is a framework provided by the Linux kernel that allows various networking-related operations, such as packet filtering, network address translation (NAT), and packet mangling.
The vulnerability is caused because the 'nft_verdict_init()' function allows positive values to be used as a drop error within the hook verdict, causing the 'nf_hook_slow()' function to execute a double free when NF_DROP is issued with a drop error that resembles NF_ACCEPT.
Exploitation of CVE-2024-1086 allows an attacker with local access to achieve privilege escalation on the target system, potentially gaining root-level access.
The issue was fixed via a commit
submitted in January 2024, which rejects QUEUE/DROP verdict parameters, thus preventing exploitation.
The fix has been backported to multiple stable kernel versions as listed below:
- v5.4.269 and later
- v5.10.210 and later
- v6.6.15 and later
- v4.19.307 and later
- v6.1.76 and later
- v5.15.149 and later
- v6.7.3 and later
