Linux Kernel Use-After-Free Vulnerability (CVE-2024-1086)

Linux kernel contains a use-after-free vulnerability in the netfilter: nf_tables component that allows an attacker to achieve local privilege escalation.

Published Jan 31, 2024 · Updated May 17, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

A local attacker, with a low-privilege account, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. CISA has confirmed use of this vulnerability in known ransomware campaigns — treat as high priority for remediation. Federal agencies are required to remediate by 2024-06-20 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Use After Free (CWE-416) vulnerability in Linux Kernel. A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Exploitation requires local access, low attack complexity, a low-privilege authenticated account, and no user interaction required.

Am I affected?Quick check

Probably yes if any of these apply:

●IT Security

●Running linux kernel: 3.15 ≤ v < 5.15.149, 6.1 ≤ v < 6.1.76, 6.2 ≤ v < 6.6.15, 6.7 ≤ v < 6.7.3, 6.8; fedora: 39; enterprise linux desktop: 7.0; enterprise linux for ibm z systems: 7.0_s390x; enterprise linux for power big endian: 7.0_ppc64; enterprise linux for power little endian: 7.0_ppc64le; enterprise linux server: 7.0; enterprise linux workstation: 7.0; debian linux: 10.0; a250 firmware: -; 500f firmware: -; c250 firmware: -

Real-world incidentsWhat we've seen

Used in known ransomware campaigns. Threat-research write-up: http://www.openwall.com/lists/oss-security/2024/04/14/1

How to patch

Manual remediation steps

Identify affected hosts: query inventory for general installs in scope.

Apply the vendor security update referenced in CVE-2024-1086's advisory. No specific KB/version is encoded yet — consult the linked MSRC/vendor URL.

Verify the fix per the vendor's published verification steps.

Document the remediation in your change ticket and re-scan with your vulnerability scanner to confirm closure.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2024-1086 ↗ MSRC Advisory ↗ NVD ↗ Vendor Advisory