CISA confirmed on Thursday that a high-severity privilege escalation flaw in the Linux kernel is now being exploited in ransomware attacks.
While the vulnerability (tracked as CVE-2024-1086) was disclosed on January 31, 2024, as a use-after-free weakness in the netfilter: nf_tables kernel component and was fixed via a commit submitted in January 2024, it was first introduced by a decade-old commit in February 2014.
Successful exploitation enables attackers with local access to escalate privileges on the target system, potentially resulting in root-level access to compromised devices.
As Immersive Labs explains, potential impact includes system takeover once root access is gained (allowing attackers to disable defenses, modify files, or install malware), lateral movement through the network, and data theft.
In late March 2024, a security researcher using the ‘Notselwyn’ alias published a detailed write-up and proof-of-concept (PoC) exploit code targeting CVE-2024-1086 on GitHub, showcasing how to achieve local privilege escalation on Linux kernel versions between 5.14 and 6.6.
The flaw impacts many major Linux distributions, including but not limited to Debian, Ubuntu, Fedora, and Red Hat, which use kernel versions from 3.15 to 6.8-rc1
Flagged as exploited in ransomware attacks
In a Thursday update to its catalog of vulnerabilities exploited in the wild, the U.S. cybersecurity agency said the flaw is now known to be used in ransomware campaigns, but didn’t provide more information regarding ongoing exploitation attempts.
CISA added this security flaw to its Known Exploited Vulnerabilities (KEV) catalog in May 2024 and ordered federal agencies to secure their systems by June 20, 2024.
If patching is not possible, IT admins are advised to apply one of the following mitigations:
- Blocklist ‘nf_tables’ if it’s not needed/actively used,
- Restrict access to user namespaces to limit the attack surface,
- Load the Linux Kernel Runtime Guard (LKRG) module (however, this can cause system instability).
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said. “Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.”
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
