CVE-2024-1086
| CVE Published | 2024-01-31 |
|---|---|
| Related CWE(s) | CWE-416: Use After Free |
| Related Vendor(s) | netapp, debian, redhat, linux, fedoraproject |
| Related Product(s) | enterprise_linux_for_power_little_endian, fedora, enterprise_linux_desktop, enterprise_linux_workstation, enterprise_linux_for_ibm_z_systems, 500f_firmware, c250_firmware, enterprise_linux_for_power_big_endian, enterprise_linux_server, debian_linux, linux_kernel, a250_firmware |
| Exploitation Reported (CISA KEV) | 2024-05-30 |
| CVSS 3 Base Score | 7.8 (HIGH) |
| CVSS 3 Attack Complexity | LOW |
| CVSS 3 Attack Vector | LOCAL |
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.
The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.
We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.
Cyber Threat Graph Context
Explore how this CVE relates to the wider threat graph