Linux Kernel Use-After-Free Vulnerability (CVE-2022-2586)

Linux Kernel contains a use-after-free vulnerability in the nft_object, allowing local attackers to escalate privileges.

Published Jan 8, 2024 · Updated May 17, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

A local attacker, with a low-privilege account, can achieve full data confidentiality loss, partial data tampering, complete denial of service or system unavailability. Federal agencies are required to remediate by 2024-07-17 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Use After Free (CWE-416) vulnerability in Linux Kernel. It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted. Exploitation requires local access, higher attack complexity, a low-privilege authenticated account, and no user interaction required.

Am I affected?Quick check

Probably yes if any of these apply:

●IT Security

●Running linux kernel: v ≤ 5.19.17, 6.0; ubuntu linux: 14.04, 16.04, 18.04, 20.04, 22.04

Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: https://www.vicarius.io/vsociety/posts/use-after-free-vulnerability-linked-chain-between-nft-tables-cve-2022-2586

How to patch

Manual remediation steps

Identify affected hosts: query inventory for general installs in scope.

Apply the vendor security update referenced in CVE-2022-2586's advisory. No specific KB/version is encoded yet — consult the linked MSRC/vendor URL.

Verify the fix per the vendor's published verification steps.

Document the remediation in your change ticket and re-scan with your vulnerability scanner to confirm closure.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2022-2586 ↗ MSRC Advisory ↗ NVD ↗ Vendor Advisory