928304 – (CVE-2024-1086) Use-after-free in nf_tables component facilitates privilege escalation

Bug 928304 - (CVE-2024-1086) Use-after-free in nf_tables component facilitates privilege escalation

Summary: (CVE-2024-1086) Use-after-free in nf_tables component facilitates privilege e...

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2024-03-31 19:25 UTC by kfm
Modified:	2024-03-31 19:45 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description kfm 2024-03-31 19:25:43 UTC

Per https://nvd.nist.gov/vuln/detail/CVE-2024-1086 ...

"A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660."

Here is a link to the commit in question:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660

Here is a post describing the exploit in detail:

https://pwning.tech/nftables/

Comment 1 kfm 2024-03-31 19:45:16 UTC

This is older than I initially realised. For 6.6, the fix landed in 6.6.15 so both gentoo-kernel and gentoo-kernel bin are in good standing.