Bug 2262126 (CVE-2024-1086) - CVE-2024-1086 kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function
Summary: CVE-2024-1086 kernel: nf_tables: use-after-free vulnerability in the nft_verd...
Keywords:
Status: NEW
Alias: CVE-2024-1086
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
: CVE-2024-26609 (view as bug list)
Depends On: 2262128
Blocks: 2269240 2262125
TreeView+ depends on / blocked
 
Reported: 2024-01-31 18:06 UTC by Patrick Del Bello
Modified: 2024-06-12 15:30 UTC (History)
61 users (show)

Fixed In Version: kernel 6.8-rc2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Netfilter subsystem in the Linux kernel. This issue occurs in the nft_verdict_init() function, allowing positive values as a drop error within the hook verdict, therefore, the nf_hook_slow() function can cause a double-free vulnerability when NF_DROP is issued with a drop error that resembles NF_ACCEPT. The nf_tables component can be exploited to achieve local privilege escalation.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:1338 0 None None None 2024-03-14 15:52:24 UTC
Red Hat Product Errata RHBA-2024:1350 0 None None None 2024-03-18 08:41:27 UTC
Red Hat Product Errata RHBA-2024:1699 0 None None None 2024-04-08 14:54:20 UTC
Red Hat Product Errata RHBA-2024:2634 0 None None None 2024-05-01 01:22:27 UTC
Red Hat Product Errata RHBA-2024:2650 0 None None None 2024-05-02 00:15:14 UTC
Red Hat Product Errata RHBA-2024:2686 0 None None None 2024-05-02 22:50:21 UTC
Red Hat Product Errata RHBA-2024:3866 0 None None None 2024-06-12 15:30:46 UTC
Red Hat Product Errata RHSA-2024:0930 0 None None None 2024-02-21 00:27:49 UTC
Red Hat Product Errata RHSA-2024:1018 0 None None None 2024-02-28 12:41:40 UTC
Red Hat Product Errata RHSA-2024:1019 0 None None None 2024-02-28 12:34:16 UTC
Red Hat Product Errata RHSA-2024:1249 0 None None None 2024-03-12 00:47:38 UTC
Red Hat Product Errata RHSA-2024:1332 0 None None None 2024-03-14 14:51:24 UTC
Red Hat Product Errata RHSA-2024:1404 0 None None None 2024-03-19 17:28:07 UTC
Red Hat Product Errata RHSA-2024:1607 0 None None None 2024-04-02 15:55:52 UTC
Red Hat Product Errata RHSA-2024:1614 0 None None None 2024-04-02 17:22:05 UTC
Red Hat Product Errata RHSA-2024:2394 0 None None None 2024-04-30 10:15:27 UTC
Red Hat Product Errata RHSA-2024:2697 0 None None None 2024-05-06 01:25:28 UTC
Red Hat Product Errata RHSA-2024:3318 0 None None None 2024-05-23 07:38:11 UTC
Red Hat Product Errata RHSA-2024:3319 0 None None None 2024-05-23 07:37:35 UTC
Red Hat Product Errata RHSA-2024:3414 0 None None None 2024-05-28 14:05:15 UTC
Red Hat Product Errata RHSA-2024:3421 0 None None None 2024-05-28 14:07:11 UTC
Red Hat Product Errata RHSA-2024:3427 0 None None None 2024-05-28 13:20:11 UTC
Red Hat Product Errata RHSA-2024:3528 0 None None None 2024-05-31 15:47:07 UTC
Red Hat Product Errata RHSA-2024:3529 0 None None None 2024-05-31 15:51:57 UTC
Red Hat Product Errata RHSA-2024:3530 0 None None None 2024-05-31 15:44:57 UTC
Red Hat Product Errata RHSA-2024:3805 0 None None None 2024-06-11 15:43:02 UTC

Description Patrick Del Bello 2024-01-31 18:06:13 UTC
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.

We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660
https://kernel.dance/f342de4e2f33e0e39165d8639387aa6c19dff660

Comment 1 Patrick Del Bello 2024-01-31 18:06:49 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2262128]

Comment 9 errata-xmlrpc 2024-02-21 00:27:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0930 https://access.redhat.com/errata/RHSA-2024:0930

Comment 11 errata-xmlrpc 2024-02-28 12:34:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1019 https://access.redhat.com/errata/RHSA-2024:1019

Comment 12 errata-xmlrpc 2024-02-28 12:41:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1018 https://access.redhat.com/errata/RHSA-2024:1018

Comment 13 errata-xmlrpc 2024-03-12 00:47:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1249 https://access.redhat.com/errata/RHSA-2024:1249

Comment 17 errata-xmlrpc 2024-03-14 14:51:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1332 https://access.redhat.com/errata/RHSA-2024:1332

Comment 19 errata-xmlrpc 2024-03-19 17:28:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1404 https://access.redhat.com/errata/RHSA-2024:1404

Comment 21 Alex 2024-04-02 10:51:02 UTC
*** Bug 2269217 has been marked as a duplicate of this bug. ***

Comment 22 errata-xmlrpc 2024-04-02 15:55:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1607 https://access.redhat.com/errata/RHSA-2024:1607

Comment 23 errata-xmlrpc 2024-04-02 17:22:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1614 https://access.redhat.com/errata/RHSA-2024:1614

Comment 26 Alexander Peslyak 2024-04-07 00:16:18 UTC
Hi. https://access.redhat.com/security/cve/CVE-2024-1086 does not mention RHEL 9 latest at all (it only mentions other major versions and 9.2 EUS), whereas 9.3 is in fact affected - the published exploit just works all the way to a root shell. I wonder if this maybe slipped through the cracks, and actually delays fixing the issue for 9.3/9.4? And even if not, it's something to fix on that access page. Thanks!

Comment 29 Alexander Peslyak 2024-04-08 17:54:37 UTC
> https://access.redhat.com/security/cve/CVE-2024-1086 does not mention RHEL 9 latest at all

Oops, I was wrong, sorry! It does say RHEL 9 is Affected on the second page of results (the first page is "1-10 of 12"). I find this UI non-intuitive, and keep forgetting more pages of results may exist. Anyway, good to know the issue is known and acknowledged.

Comment 36 errata-xmlrpc 2024-04-30 10:15:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394

Comment 39 errata-xmlrpc 2024-05-06 01:25:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:2697 https://access.redhat.com/errata/RHSA-2024:2697

Comment 40 errata-xmlrpc 2024-05-23 07:37:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2024:3319 https://access.redhat.com/errata/RHSA-2024:3319

Comment 41 errata-xmlrpc 2024-05-23 07:38:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support

Via RHSA-2024:3318 https://access.redhat.com/errata/RHSA-2024:3318

Comment 42 errata-xmlrpc 2024-05-28 13:20:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:3427 https://access.redhat.com/errata/RHSA-2024:3427

Comment 43 errata-xmlrpc 2024-05-28 14:05:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:3414 https://access.redhat.com/errata/RHSA-2024:3414

Comment 44 errata-xmlrpc 2024-05-28 14:07:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:3421 https://access.redhat.com/errata/RHSA-2024:3421

Comment 49 errata-xmlrpc 2024-05-31 15:44:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:3530 https://access.redhat.com/errata/RHSA-2024:3530

Comment 50 errata-xmlrpc 2024-05-31 15:47:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:3528 https://access.redhat.com/errata/RHSA-2024:3528

Comment 51 errata-xmlrpc 2024-05-31 15:51:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:3529 https://access.redhat.com/errata/RHSA-2024:3529

Comment 52 errata-xmlrpc 2024-06-11 15:42:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:3805 https://access.redhat.com/errata/RHSA-2024:3805


Note You need to log in before you can comment on or make changes to this bug.