CVERadar
Edition used by more than 30,000 companies in more than 150 countries.
Sign Up For FreeCVE-2024-1086
Critical Severity|Linux
78
SVRS
7.8
CVSSv3
0.84554
EPSS
TAGS
In The WildExploit AvaliableCISA KEVExploit Available
VECTOR STRING
CVSS:3.1AV:LAC:LPR:LUI:NS:UC:HI:HA:H
PUBLICATION DATE2024-01-31
LAST MODIFIED2025-10-21
Deep CVE Analysis in Progress
The system is currently conducting an in-depth analysis of the selected CVE. This includes advanced correlation, vulnerability classification, and cross-referencing with real-time threat intelligence sources. Once the analysis is complete, the page will automatically update with enriched vulnerability data and actionable insights.
Security Intelligence Brief
1. What is this vulnerability and why does it matter?
This is a use-after-free vulnerability, identified as CVE-2024-1086, within the Linux kernel's netfilter: nf_tables component. It can be exploited to achieve local privilege escalation. This vulnerability matters significantly because local privilege escalation allows an attacker with limited access to a compromised system to gain full administrative control (root privileges). This level of access enables attackers to bypass security controls, execute arbitrary code, modify system files, disable security mechanisms, install malware, or exfiltrate sensitive data, severely impacting the system's integrity, confidentiality, and availability.
2. What are the CVSS score, severity level, and disclosure details?
The vulnerability has a CVSS base score of 7.8 out of 10, which is classified as High severity. The disclosure details are as follows:
- Published Date: January 31, 2024
- Modified Date: October 21, 2025
- CISA Known Exploited Vulnerabilities (KEV) Catalog: Added on May 30, 2024, due to observed active exploitation in the wild.
- CISA Confirmation of Ransomware Exploitation: October 31, 2025, confirming its active use in ransomware campaigns.
3. Which products, vendors, systems, and versions are affected?
This vulnerability affects the Linux kernel and various major Linux distributions that incorporate the vulnerable kernel versions.
- Affected Component: Linux kernel's netfilter: nf_tables component.
- Vulnerable Kernel Versions:
- From kernel version 3.15 up to, but not including, 6.8-rc1.
- Specifically, kernels between v3.15 and v6.1.76 (excluding v6.1.76).
- Kernels between v6.2 and v6.6.15 (excluding v6.6.15).
- Kernels between v6.7 and v6.7.3 (excluding v6.7.3).
- Linux kernel versions before 6.6.5 are also vulnerable.
- Affected Distributions/Vendors (examples include, but are not limited to):
- Ubuntu (Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04, Ubuntu 23.10)
- Red Hat (RHEL 7, RHEL 8, RHEL 9)
- Debian (Kernel-version 6.1.76-1, and potentially other versions if using affected kernels)
- Fedora
- Amazon Linux
- Oracle Linux
- Rocky Linux
4. What is the technical root cause and attack vector?
The technical root cause is a use-after-free vulnerability (CWE-416) stemming from improper handling of memory in the Linux kernel's netfilter: nf_tables component.
- Root Cause: The
nft_verdict_init()function incorrectly allows positive values as a "drop error" within the hook verdict. This flaw allows thenf_hook_slow()function to callkfree()twice on the same object, creating a double-free vulnerability. WhenNF_DROPis issued with a drop error that resemblesNF_ACCEPT, it results in the memory being freed twice, leading to memory corruption. - Attack Vector: The primary attack vector is local privilege escalation. This means an attacker must already have local access to the vulnerable system. The attacker then exploits the memory corruption to gain elevated privileges, typically root access. The exploit leverages unprivileged user namespaces to access the nf_tables component.
5. How can this vulnerability be exploited?
This vulnerability can be exploited by a local attacker to achieve root privileges on an affected Linux system. The exploitation process typically involves:
- Initial Access: An attacker first needs to gain initial, unprivileged access to the target system. This could be achieved through various means such as phishing, stolen credentials, or by exploiting other internet-facing vulnerabilities.
- Triggering Double-Free: The attacker then craft malicious input or manipulate the netfilter rules to trigger the double-free condition in the
nf_tablescomponent via thenft_verdict_init()andnf_hook_slow()functions. - Memory Manipulation: By leveraging the use-after-free primitive, the attacker can manipulate memory and achieve arbitrary read/write capabilities within the kernel.
- Privilege Escalation: The memory manipulation is used to hijack control flow or overwrite critical kernel data structures, allowing the attacker to execute arbitrary code with root privileges.
- Post-Exploitation: Once root access is gained, the attacker has full control over the system, enabling actions such as disabling security tools, clearing logs, establishing persistence, deploying ransomware, and exfiltrating sensitive data.
6. What mitigation steps and patches are available?
The primary mitigation for CVE-2024-1086 is to apply the available patches and update the Linux kernel to a non-vulnerable version.
- Kernel Update: Upgrade the Linux kernel to a version that includes the fix. Specifically, update to Linux kernel 6.8-rc2 or newer. Patched versions include:
- v5.15.149 or later
- v6.1.76 or later
- v6.6.15 or later
- Specific Commit: The vulnerability is fixed in kernel commit
f342de4e2f33e0e39165d8639387aa6c19dff660. Updating past this commit resolves the issue. - Distribution-Specific Patches: Apply updates provided by your Linux distribution vendor. For example, Amazon Linux users can run
yum update kerneloryum update --advisory ALAS-2024-1919. Most major Linux distributions have released new versions addressing this vulnerability. - Temporary Mitigation (Disabling Unprivileged User Namespaces): As a potential temporary mitigation, disabling namespace creation for unprivileged users can restrict the exploit's access to
nf_tables.- To disable temporarily: Run
sudo sysctl -w kernel.unprivileged_userns_clone=0. - To disable persistently: Add
kernel.unprivileged_userns_clone=0to a file like/etc/sysctl.d/99-disable-unpriv-userns.confand apply it.
- To disable temporarily: Run
7. How can vulnerable systems be detected?
To detect vulnerable systems, administrators should check the running Linux kernel version and its configuration:
- Check Kernel Version: Use the command
uname -rto determine the currently running kernel version. Systems running kernel versions between 3.15 and 6.8-rc1 are at risk. More specifically, systems with kernel versions before v5.15.149, v6.1.76, or v6.6.15 are vulnerable. - Verify Patch Status: Check if the specific kernel commit
f342de4e2f33e0e39165d8639387aa6c19dff660has been applied to your kernel. This can often be done by inspecting kernel source code or package information. - Distribution Package Management: Use your distribution's package manager (e.g.,
apt,yum,dnf) to query the installed kernel package version and compare it against vendor advisories. - Configuration Check: Assess if unprivileged user namespaces are enabled on the system, as the public PoC exploit leverages this feature to access
nf_tables.
8. What are the indicators of compromise (IOCs)?
While specific forensic indicators like hashes or IP addresses are not detailed in the provided data, the nature of local privilege escalation and its active exploitation in ransomware campaigns suggest the following potential indicators of compromise (IOCs):
- Unauthorized Privilege Escalation: Any logged attempts or successful events of an unprivileged user gaining root or elevated system privileges without legitimate authorization.
- Unusual Process Activity: Detection of unexpected processes running with root privileges, especially those initiated by a non-root user.
- System Configuration Changes: Unauthorized modifications to critical system files, network configurations, or security settings that would typically require elevated privileges.
- Malware Deployment: Presence of ransomware binaries, suspicious scripts, or other malicious payloads on the system, particularly in unexpected directories or with elevated permissions.
- Anomalous Network Connections: Outbound connections from compromised systems to unknown external IP addresses or domains (potential command-and-control or data exfiltration).
- User Namespace Manipulation: Signs of unprivileged user namespace creation or abnormal activity related to namespace operations, especially in conjunction with attempts to interact with
nf_tables. - Security Tool Evasion: Attempts to disable, modify, or uninstall security software (e.g., EDR agents, antivirus).
- Log Tampering: Clearing of system logs or manipulation of audit trails to hide malicious activity.
9. Which threat actors are known to exploit this vulnerability?
Active exploitation of CVE-2024-1086 has been observed in the wild.
- Initially, CrowdStrike observed two unknown threat actors attempting to leverage CVE-2024-1086.
- The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that this vulnerability is being actively exploited in ransomware campaigns.
- Ransomware groups are increasingly leveraging Linux-targeting ransomware. Specifically, groups such as RansomHub, Akira, and LockBit are mentioned as being active in this space and could be exploiting this vulnerability. RansomHub, in particular, has emerged as a dominant ransomware-as-a-service (RaaS) group using GoLang-based Linux malware.
10. What public intelligence references and advisories exist?
Numerous public intelligence references and advisories exist for CVE-2024-1086:
- CVE ID: CVE-2024-1086
- CWE ID: CWE-416 (Use-After-Free)
- NVD Detail Page: https://nvd.nist.gov/vuln/detail/CVE-2024-1086
- CISA Known Exploited Vulnerabilities Catalog: Added on May 30, 2024, with further warnings in October 2025 regarding active exploitation in ransomware campaigns.
- Linux Kernel Git Commit (Fix): The fix is included in commit
f342de4e2f33e0e39165d8639387aa6c19dff660. This commit can be found at https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660. - Public Proof-of-Concept (PoC) Exploit: A detailed analysis and PoC exploit were published on GitHub by researcher "Notselwyn" on March 26, 2024.
- Vendor Advisories: Various Linux distributions and security vendors have issued advisories, including Amazon Linux (ALAS-2024-1919).
- Security Articles and Blogs: Numerous cybersecurity firms and researchers have published analyses and advisories, such as those from CrowdStrike, Sysdig, SOC Prime, and others.
11. What is the risk assessment and urgency level?
- Risk Assessment: The risk associated with CVE-2024-1086 is assessed as High. With a CVSS v3 score of 7.8, it represents a critical flaw leading to local privilege escalation. The vulnerability allows an attacker with existing local access to gain full root privileges, enabling complete system takeover, data theft, defense evasion, and lateral movement within a network. Compounding the risk is the confirmed active exploitation of this vulnerability in the wild, particularly by ransomware groups. The presence of a public Proof-of-Concept (PoC) exploit further increases the likelihood of successful attacks.
- Urgency Level: The urgency level for addressing this vulnerability is Critical. Due to its high severity, ease of exploitation (low attack complexity and no user interaction required after initial access), and confirmed active exploitation in ransomware campaigns, immediate action is required. Organizations with affected Linux systems should prioritize patching without delay. CISA has included it in its Known Exploited Vulnerabilities Catalog, mandating remediation for federal agencies, which serves as a strong recommendation for all organizations to patch or mitigate promptly. Legacy systems, in particular, may be exposed as the vulnerability has existed for approximately ten years.
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNTCVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs
CVE Radar
Real-time CVE Intelligence & Vulnerability Management Platform
CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.