A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660 https://kernel.dance/f342de4e2f33e0e39165d8639387aa6c19dff660
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2262128]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0930 https://access.redhat.com/errata/RHSA-2024:0930
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:1019 https://access.redhat.com/errata/RHSA-2024:1019
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:1018 https://access.redhat.com/errata/RHSA-2024:1018
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2024:1249 https://access.redhat.com/errata/RHSA-2024:1249
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2024:1332 https://access.redhat.com/errata/RHSA-2024:1332
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:1404 https://access.redhat.com/errata/RHSA-2024:1404
*** Bug 2269217 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1607 https://access.redhat.com/errata/RHSA-2024:1607
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1614 https://access.redhat.com/errata/RHSA-2024:1614
Hi. https://access.redhat.com/security/cve/CVE-2024-1086 does not mention RHEL 9 latest at all (it only mentions other major versions and 9.2 EUS), whereas 9.3 is in fact affected - the published exploit just works all the way to a root shell. I wonder if this maybe slipped through the cracks, and actually delays fixing the issue for 9.3/9.4? And even if not, it's something to fix on that access page. Thanks!
> https://access.redhat.com/security/cve/CVE-2024-1086 does not mention RHEL 9 latest at all Oops, I was wrong, sorry! It does say RHEL 9 is Affected on the second page of results (the first page is "1-10 of 12"). I find this UI non-intuitive, and keep forgetting more pages of results may exist. Anyway, good to know the issue is known and acknowledged.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394