The Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious warning after confirming that a critical flaw in the Linux Kernel, tracked as CVE-2024-1086, is being actively exploited in ongoing ransomware attacks targeting Linux systems worldwide.
CVE-2024-1086 is a use-after-free vulnerability in the Linux Kernel’s netfilter: nf_tables component. The flaw arises when the nft_verdict_init() function improperly allows positive values to be used as a drop error within the hook verdict, which can lead to a double-free scenario in nf_hook_slow() when NF_DROP is mishandled.
Although the faulty code originated from a commit introduced back in February 2014, the vulnerability was not officially disclosed until January 31, 2024. A patch to address it was submitted in January 2024.
Scope and Impact of CVE-2024-1086
The Linux Kernel flaw affects versions from 3.15 up to 6.8-rc1, meaning a wide range of major Linux distributions are vulnerable. Impacted systems include:
Ubuntu: 18.04, 20.04, 22.04, and 23.10
Red Hat Enterprise Linux (RHEL):
- RHEL 7 – 3.10.0-1062.4.1.el7
- RHEL 8 – 4.18.0-147.el8
- RHEL 9 – 5.14.0-362.24.2.el9_3
Debian: kernel version 6.1.76-1
Exploitation of CVE-2024-1086 allows attackers with local access to escalate their privileges to root level, granting full control of compromised systems. With root access, threat actors can disable security protections, install malware, move laterally within a network, steal data, and deploy ransomware payloads.
Ransomware Connection and Agency Action
CISA has now confirmed that CVE-2024-1086 is being used in ransomware attacks. The vulnerability was initially added to the agency’s Known Exploited Vulnerabilities (KEV) catalog on May 30, 2024, with federal agencies ordered to apply security patches or mitigations no later than June 20, 2024.
In its official statement, CISA described this Linux Kernel flaw as a “frequent attack vector for malicious cyber actors,” emphasizing the significant risks it poses to government and enterprise networks alike. Agencies and organizations are instructed to follow vendor guidance for patching or discontinue use of affected products if no fixes are available.
Exploit Availability and Threat Landscape
In late March 2024, a security researcher using the alias Notselwyn released a detailed write-up and a proof-of-concept (PoC) exploit for CVE-2024-1086. The PoC demonstrated how attackers could achieve local privilege escalation on Linux kernel versions ranging from 5.14 to 6.6.
According to security researchers, the exploit has proven to be highly reliable, showing success rates exceeding 99% in some tests. The public availability of this exploit code, combined with confirmed use in ransomware operations, significantly increases the risk of widespread attacks.
Mitigation and Recommended Actions
System administrators are advised to verify immediately whether their Linux installations are affected. Running the command uname -r will reveal the kernel version in use. If the version falls between 3.15 and 6.8-rc1, the system may still be vulnerable.
To protect against exploitation:
- Update to Linux Kernel 6.8-rc2 or later, or apply vendor-provided patches.
- Blocklist the nf_tables module if it is not required.
- Restrict access to user namespaces to minimize the attack surface.
- Consider loading the Linux Kernel Runtime Guard (LKRG) module to add runtime protection, though administrators should be aware that it may affect system stability.
