Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2262126 (CVE-2024-1086) - CVE-2024-1086 kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function
Summary: CVE-2024-1086 kernel: nf_tables: use-after-free vulnerability in the nft_verd...
Keywords:
Status: NEW
Alias: CVE-2024-1086
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
: CVE-2024-26609 (view as bug list)
Depends On: 2262128
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-01-31 18:06 UTC by Patrick Del Bello
Modified: 2024-05-06 01:25 UTC (History)
61 users (show)

Fixed In Version: kernel 6.8-rc2
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:1338 0 None None None 2024-03-14 15:52:24 UTC
Red Hat Product Errata RHBA-2024:1350 0 None None None 2024-03-18 08:41:27 UTC
Red Hat Product Errata RHBA-2024:1699 0 None None None 2024-04-08 14:54:20 UTC
Red Hat Product Errata RHBA-2024:2634 0 None None None 2024-05-01 01:22:27 UTC
Red Hat Product Errata RHBA-2024:2650 0 None None None 2024-05-02 00:15:14 UTC
Red Hat Product Errata RHBA-2024:2686 0 None None None 2024-05-02 22:50:21 UTC
Red Hat Product Errata RHSA-2024:0930 0 None None None 2024-02-21 00:27:49 UTC
Red Hat Product Errata RHSA-2024:1018 0 None None None 2024-02-28 12:41:40 UTC
Red Hat Product Errata RHSA-2024:1019 0 None None None 2024-02-28 12:34:16 UTC
Red Hat Product Errata RHSA-2024:1249 0 None None None 2024-03-12 00:47:38 UTC
Red Hat Product Errata RHSA-2024:1332 0 None None None 2024-03-14 14:51:24 UTC
Red Hat Product Errata RHSA-2024:1404 0 None None None 2024-03-19 17:28:07 UTC
Red Hat Product Errata RHSA-2024:1607 0 None None None 2024-04-02 15:55:52 UTC
Red Hat Product Errata RHSA-2024:1614 0 None None None 2024-04-02 17:22:05 UTC
Red Hat Product Errata RHSA-2024:2394 0 None None None 2024-04-30 10:15:27 UTC
Red Hat Product Errata RHSA-2024:2697 0 None None None 2024-05-06 01:25:28 UTC

Description Patrick Del Bello 2024-01-31 18:06:13 UTC
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.

We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660
https://kernel.dance/f342de4e2f33e0e39165d8639387aa6c19dff660

Comment 1 Patrick Del Bello 2024-01-31 18:06:49 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2262128]

Comment 9 errata-xmlrpc 2024-02-21 00:27:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0930 https://access.redhat.com/errata/RHSA-2024:0930

Comment 11 errata-xmlrpc 2024-02-28 12:34:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1019 https://access.redhat.com/errata/RHSA-2024:1019

Comment 12 errata-xmlrpc 2024-02-28 12:41:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1018 https://access.redhat.com/errata/RHSA-2024:1018

Comment 13 errata-xmlrpc 2024-03-12 00:47:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1249 https://access.redhat.com/errata/RHSA-2024:1249

Comment 17 errata-xmlrpc 2024-03-14 14:51:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1332 https://access.redhat.com/errata/RHSA-2024:1332

Comment 19 errata-xmlrpc 2024-03-19 17:28:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1404 https://access.redhat.com/errata/RHSA-2024:1404

Comment 21 Alex 2024-04-02 10:51:02 UTC
*** Bug 2269217 has been marked as a duplicate of this bug. ***

Comment 22 errata-xmlrpc 2024-04-02 15:55:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1607 https://access.redhat.com/errata/RHSA-2024:1607

Comment 23 errata-xmlrpc 2024-04-02 17:22:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1614 https://access.redhat.com/errata/RHSA-2024:1614

Comment 26 Alexander Peslyak 2024-04-07 00:16:18 UTC
Hi. https://access.redhat.com/security/cve/CVE-2024-1086 does not mention RHEL 9 latest at all (it only mentions other major versions and 9.2 EUS), whereas 9.3 is in fact affected - the published exploit just works all the way to a root shell. I wonder if this maybe slipped through the cracks, and actually delays fixing the issue for 9.3/9.4? And even if not, it's something to fix on that access page. Thanks!

Comment 29 Alexander Peslyak 2024-04-08 17:54:37 UTC
> https://access.redhat.com/security/cve/CVE-2024-1086 does not mention RHEL 9 latest at all

Oops, I was wrong, sorry! It does say RHEL 9 is Affected on the second page of results (the first page is "1-10 of 12"). I find this UI non-intuitive, and keep forgetting more pages of results may exist. Anyway, good to know the issue is known and acknowledged.

Comment 36 errata-xmlrpc 2024-04-30 10:15:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394

Comment 39 errata-xmlrpc 2024-05-06 01:25:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:2697 https://access.redhat.com/errata/RHSA-2024:2697


Note You need to log in before you can comment on or make changes to this bug.