Flipping Pages: New Linux vulnerability in nf_tables and exploitation techniques
Nature of the vulnerability and exploit
- Discussion centers on a local privilege escalation in Linux netfilter/nf_tables (CVE-2024-1086) via a use-after-free/double-free bug.
- Exploit allows escalation from unprivileged user to root and can read/write arbitrary physical memory; the published PoC mainly uses this to gain root.
- Exploit also includes a namespace escape primitive, potentially allowing breakout from some container/sandbox setups.
Affected kernels, configs, and mitigations
- Vulnerable kernel versions: approx. 5.14 through 6.6, excluding specific patched sub-versions (5.15.149+, 6.1.76+, 6.6.15+).
- Exploit requires:
CONFIG_NF_TABLES=y(nf_tables enabled),CONFIG_USER_NS=ywith unprivileged user namespaces allowed (e.g.,kernel.unprivileged_userns_clone = 1on some distros),- For 6.4–6.6,
CONFIG_INIT_ON_ALLOC_DEFAULT_ONmust benor exploit fails.
- A hardening option
CONFIG_INIT_ON_FREE_DEFAULT_ONreportedly breaks the exploit but is not enabled by most distros due to performance concerns (zeroing on free).
Containers, namespaces, and sandboxing
- Exploit relies on namespace root to interact with nf_tables.
- It is suggested that LXC and privileged Docker containers may be exploitable; unprivileged Docker containers likely are not, because they generally can’t create user namespaces.
- Some note that browser and app sandboxes (Chrome, Electron, Flatpak/Bubblewrap) rely on user namespaces or suid helpers, highlighting a trade-off between sandboxing and kernel attack surface.
Distro impact and patching
- Debian and Ubuntu are confirmed affected when running vulnerable kernels with unprivileged namespaces enabled; patches were pushed weeks before the PoC.
- Ubuntu security advisory lists fixed kernel versions for LTS releases (e.g., Focal 5.4.0-174, Jammy 5.15.0-101, Mantic 6.5.0-26).
- Some warn that users may have delayed kernel updates due to unrelated regressions (e.g., Nvidia issues).
Exploit reliability and user reports
- Several users report the PoC failing cleanly on patched or hardened systems; others report system freezes or lockups on vulnerable kernels, VMs, and WSL.
- Error messages like “failed to detect overwritten pte… is more PTE spray needed?” are reported and noted as expected on certain Ubuntu kernels where mitigations block the exploit.
Broader debates: security model, ethics, and difficulty
- Strong debate over enabling unprivileged user namespaces by default: valuable for sandboxing vs. repeatedly exposing root-only kernel APIs to untrusted code.
- Some argue single-user desktops gain more from sandboxes than from strict user/root separation; others emphasize root separation still matters (e.g., firmware compromise).
- Ethical discussion contrasts public disclosure/CTF bounties with selling to offensive exploit brokers; some praise community-oriented disclosure.
- Commenters discuss how modern mitigations (ASLR, canaries, KASLR) make exploitation harder but not impossible, especially for well-funded or highly skilled teams.