CVE-2024-1086: Fixes in Linux Kernel
First published: Wed Jan 31 2024(Updated: )
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.
Credit: cve-coordination@google.com cve-coordination@google.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM QRadar SIEM | <=7.5 - 7.5.0 UP8 IF01 | |
| redhat/kernel | <6.8 | 6.8 |
| Linux kernel | ||
| F5 F5OS-A | =1.7.0>=1.5.0<=1.5.2 | 1.8.0 |
| F5 F5OS-C | >=1.6.0<=1.6.2>=1.5.0<=1.5.1 | 1.8.0 |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.13-1 | |
| Linux Kernel | >=3.15<5.15.149 | |
| Linux Kernel | >=6.1<6.1.76 | |
| Linux Kernel | >=6.2<6.6.15 | |
| Linux Kernel | >=6.7<6.7.3 | |
| Linux Kernel | =6.8-rc1 | |
| Fedora | =39 | |
| redhat enterprise Linux desktop | =7.0 | |
| redhat enterprise Linux for ibm z systems | =7.0_s390x | |
| redhat enterprise Linux for power big endian | =7.0_ppc64 | |
| redhat enterprise Linux for power little endian | =7.0_ppc64le | |
| redhat enterprise Linux server | =7.0 | |
| redhat enterprise Linux workstation | =7.0 | |
| Debian | =10.0 | |
| All of | ||
| netapp a250 firmware | ||
| netapp a250 | ||
| All of | ||
| netapp 500f firmware | ||
| netapp 500f | ||
| All of | ||
| NetApp C250 Firmware | ||
| NetApp C250 Firmware |
Remedy
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Remedy
If not needed, disable the ability for unprivileged users to create namespaces. To do this temporarily, do: sudo sysctl -w kernel.unprivileged_userns_clone=0 To disable across reboots, do: echo kernel.unprivileged_userns_clone=0 | \ sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-chromeos.html (Advisory)
- https://www.theregister.com/2024/03/29/linux_kernel_flaw/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7LSPIOMIJYTLZB6QKPQVVAYSUETUWKPF/
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660
- https://kernel.dance/f342de4e2f33e0e39165d8639387aa6c19dff660
- https://github.com/Notselwyn/CVE-2024-1086
- https://news.ycombinator.com/item?id=39828424
- https://pwning.tech/nftables/
- https://launchpad.net/bugs/cve/CVE-2024-1086
- https://exchange.xforce.ibmcloud.com/vulnerabilities/281122
- https://www.ibm.com/support/pages/node/7150684 (Advisory)
- https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-linux-privilege-elevation-flaw/
- http://www.openwall.com/lists/oss-security/2024/04/15/2
- http://www.openwall.com/lists/oss-security/2024/04/10/23
- http://www.openwall.com/lists/oss-security/2024/04/10/22
- http://www.openwall.com/lists/oss-security/2024/04/14/1
- http://www.openwall.com/lists/oss-security/2024/04/17/5
- https://security.netapp.com/advisory/ntap-20240614-0009/
- https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2262128
- https://access.redhat.com/errata/RHSA-2024:0930
- https://access.redhat.com/errata/RHSA-2024:1019
- https://access.redhat.com/errata/RHSA-2024:1018
- https://access.redhat.com/errata/RHSA-2024:1249
- https://access.redhat.com/errata/RHSA-2024:1332
- https://access.redhat.com/errata/RHSA-2024:1404
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2269217
- https://access.redhat.com/errata/RHSA-2024:1607
- https://access.redhat.com/errata/RHSA-2024:1614
- https://access.redhat.com/security/cve/CVE-2024-1086
- https://access.redhat.com/errata/RHSA-2024:2394
- https://access.redhat.com/errata/RHSA-2024:2697
- https://access.redhat.com/errata/RHSA-2024:3319
- https://access.redhat.com/errata/RHSA-2024:3318
- https://access.redhat.com/errata/RHSA-2024:3427
- https://access.redhat.com/errata/RHSA-2024:3414
- https://access.redhat.com/errata/RHSA-2024:3421
- https://access.redhat.com/errata/RHSA-2024:3530
- https://access.redhat.com/errata/RHSA-2024:3528
- https://access.redhat.com/errata/RHSA-2024:3529
- https://access.redhat.com/errata/RHSA-2024:3805
- https://access.redhat.com/errata/RHSA-2024:4075
- https://access.redhat.com/errata/RHSA-2024:4074
- https://access.redhat.com/errata/RHSA-2024:4073
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2262126#c55
- https://pokerogue.io
- https://bugzilla.redhat.com/show_bug.cgi?id=2262126
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1086
- https://nvd.nist.gov/vuln/detail/CVE-2024-1086
- https://security-tracker.debian.org/tracker/CVE-2024-1086
- https://ubuntu.com/security/CVE-2024-1086
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660;
- https://my.f5.com/manage/s/article/K000139430
- https://git.kernel.org/linus/f342de4e2f33e0e39165d8639387aa6c19dff660
- https://www.theregister.com/2025/02/10/infosec_in_brief/
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the severity of CVE-2024-1086?
CVE-2024-1086 is classified as a high-severity vulnerability due to its potential for local privilege escalation.
How do I fix CVE-2024-1086?
To address CVE-2024-1086, upgrade to the patched versions of the Linux kernel or affected software as detailed in the vendor advisories.
What products are affected by CVE-2024-1086?
CVE-2024-1086 affects various versions of the Linux kernel, F5OS-A, F5OS-C, and IBM QRadar SIEM 7.5.0 UP8 IF01.
Can CVE-2024-1086 be exploited remotely?
CVE-2024-1086 requires local access for exploitation, as it is a use-after-free vulnerability affecting kernel components.
What versions of the Linux kernel are vulnerable to CVE-2024-1086?
CVE-2024-1086 affects Linux kernel versions between 3.15 and 6.8, including specific ranges within those versions.
- agent/type
- collector/chrome-releases
- agent/author
- agent/first-publish-date
- agent/title
- collector/the-register
- source/The Register
- alias/CVE-2024-1086
- agent/news-ai
- agent/weakness
- collector/oss-sec
- source/oss-sec
- collector/launchpad-cve
- source/Launchpad
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/severity
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-24919
- collector/mitre-cve
- source/MITRE
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- agent/trending
- agent/source
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup-request
- collector/f5-advisory
- source/F5
- alias/CVE-2024-21413
- agent/references
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/last-modified-date
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- vendor/ibm
- canonical/ibm qradar siem
- version/ibm qradar siem/7.5 - 7.5.0 up8 if01
- package-manager/redhat
- vendor/linux
- canonical/linux kernel
- vendor/f5
- canonical/f5 f5os-a
- version/f5 f5os-a/1.7.0
- version/f5 f5os-a/1.5.0
- version/f5 f5os-a/1.5.2
- canonical/f5 f5os-c
- version/f5 f5os-c/1.6.0
- version/f5 f5os-c/1.6.2
- version/f5 f5os-c/1.5.0
- version/f5 f5os-c/1.5.1
- package-manager/debian
- version/linux kernel/3.15
- version/linux kernel/6.1
- version/linux kernel/6.2
- version/linux kernel/6.7
- version/linux kernel/6.8-rc1
- vendor/fedoraproject
- canonical/fedora
- version/fedora/39
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux for ibm z systems
- version/redhat enterprise linux for ibm z systems/7.0_s390x
- canonical/redhat enterprise linux for power big endian
- version/redhat enterprise linux for power big endian/7.0_ppc64
- canonical/redhat enterprise linux for power little endian
- version/redhat enterprise linux for power little endian/7.0_ppc64le
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0
- vendor/debian
- canonical/debian
- version/debian/10.0
- vendor/netapp
- canonical/netapp a250 firmware
- canonical/netapp a250
- canonical/netapp 500f firmware
- canonical/netapp 500f
- canonical/netapp c250 firmware