This week, the Cybersecurity and Infrastructure Security Agency (CISA) added a Linux Kernel privilege escalation vulnerability (CVE-2024-1086) to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.  

CVE-2024-1086 (CVSS 7.8) stems from a use-after-free issue in the netfilter's nf_tables component. Specifically, the nft_verdict_init() function improperly handles positive values as drop errors in hook verdicts. This can cause the nf_hook_slow() function to encounter a double-free scenario when NF_DROP mimics NF_ACCEPT.  

Exploiting CVE-2024-1086 allows local attackers to gain root access. This vulnerability affects various Linux distributions, including Red Hat, Ubuntu, Debian, and Fedora.  

Affected versions 

  • Linux kernel versions from 3.15 to 6.8-rc1 

Unaffected versions 

  • Linux kernel versions from 6.8-rc2 and later 

Because there is a PoC available with a high success rate of exploitation, Avertium encourages you to apply updates and mitigations as soon as possible. 



avertium's recommendationS

  • Mitigations 
    • Update Kernel: Users should immediately upgrade to the latest kernel version. Updates are available at kernel.org. 
  • Distribution-Specific Updates 
  • Temporary Protective Measures for Red Hat 
    • Blacklist Affected Module: Prevent the loading of the nf_tables kernel module if not required. Refer to Red Hat Solution for instructions. 
    • Restrict User Namespaces: Limit user namespaces in non-containerized environments to reduce exploitation risk. 
  • You may also find the fix for CVE-2024-1086 here 




At this time, there are no known IoCs associated with CVE-2024-1086. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   



How Avertium is Protecting Our CUSTOMERS

  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:  
    • Risk Assessments 
    • Pen Testing and Social Engineering  
    • Infrastructure Architecture and Integration  
    • Zero Trust Network Architecture 
    • Vulnerability Management 



netfilter: nf_tables: reject QUEUE/DROP verdict parameters - kernel/git/torvalds/linux.git - Linux kernel source tree 

Linux Kernel Privilege Escalation Vulnerability (CVE-2024-1086) Alert - Security Boulevard 

Easy privilege escalation exploit lands for Linux kernels • The Register 

CVE-2022-0847 (debian.org) 


Chat With One of Our Experts

Flash Notice CISA Linux Critical Vulnerability Linux Kernel Blog