CISA Warning: Linux Kernel Bug (CVE-2024-1086) Actively Exploited by Ransomware for Root Access
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a high-severity flaw in the Linux kernel is being actively exploited in ransomware campaigns.
The vulnerability in question is CVE-2024-1086 — a use-after-free bug in the netfilter component, nf_tables. Disclosed on January 31, 2024 and patched in a January kernel commit, the flaw had existed for nearly a decade, having been introduced into the codebase as early as February 2014.
Successful exploitation allows an attacker with local access to escalate privileges to root, thereby gaining full control of the host. According to Immersive Labs, this capability enables adversaries to disable protections, modify files, deploy malware and move laterally across networks to steal data.
In late March, a researcher operating under the handle Notselwyn published a technical write-up and PoC exploit on GitHub demonstrating local privilege escalation on Linux kernels from 5.14 through 6.6.
The issue affects the vast majority of widely used distributions — Debian, Ubuntu, Fedora, Red Hat and others — running kernels from roughly 3.15 up to 6.8-rc1.
In its Known Exploited Vulnerabilities catalog update, CISA confirmed that CVE-2024-1086 is being leveraged in real-world ransomware operations; the agency has not yet disclosed campaign specifics.
CISA added the vulnerability to the KEV list in May 2024 and mandated federal agencies to remediate it by June 20.
Where immediate patching is not feasible, the agency recommends mitigations to reduce exposure:
- Disable nf_tables if the module is not required.
- Restrict access to user namespaces.
- Deploy the Linux Kernel Runtime Guard (LKRG) to hinder kernel modification, while noting this may affect system stability.
CISA reiterated that vulnerabilities of this class are frequently weaponized and pose a grave threat not only to government networks but also to the infrastructure of large enterprises.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
