CVE-2024-1086: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the Linux kernel's netfilter: nftables component (CVE-2024-1086). The vulnerability exists in the nftverdictinit() function, which allows positive values as drop error within the hook verdict, causing a double free vulnerability when NFDROP is issued with a drop error resembling NF_ACCEPT. The vulnerability affects Linux kernel versions from v3.15 up to v6.8-rc1, with patches released in February 2024 (Kernel Patch).

The vulnerability stems from improper input sanitization in the netfilter verdicts. The nftverdictinit() function fails to properly validate verdict parameters, allowing an attacker to trigger a double-free condition. The bug requires nf_tables to be enabled and unprivileged user namespaces to be accessible. The vulnerability has been assigned a CVSS v3.1 score of 7.8 (HIGH) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability can lead to local privilege escalation, allowing an unprivileged user to gain root privileges. The exploit can potentially break out of namespaces, including LXC containers and privileged Docker containers running on vulnerable Linux kernels. The exploit has demonstrated a 93%-99% success rate on various kernel versions (Exploit Analysis).

The primary mitigation is to update to kernel versions with the fix: v5.15.149 or later, v6.1.76 or later, or v6.6.15 or later. For systems that cannot be immediately updated, a temporary mitigation is to disable unprivileged user namespaces by setting kernel.unprivilegedusernsclone=0 or to disable network namespaces with user.maxnetnamespaces=0. Additionally, blacklisting the nf_tables kernel module can prevent exploitation if the module is not required (Openwall List).

The vulnerability has gained significant attention in the security community, with multiple Linux distributions rushing to release patches. The exploit's author published a detailed technical analysis that has been widely discussed in the security community. The vulnerability has been deemed serious enough to be included in CISA's Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch by June 20, 2024 (Hacker News).