Flipping Pages: New Linux vulnerability in nf_tables and exploitation techniques

Nature of the vulnerability and exploit

  • Discussion centers on a local privilege escalation in Linux netfilter/nf_tables (CVE-2024-1086) via a use-after-free/double-free bug.
  • Exploit allows escalation from unprivileged user to root and can read/write arbitrary physical memory; the published PoC mainly uses this to gain root.
  • Exploit also includes a namespace escape primitive, potentially allowing breakout from some container/sandbox setups.

Affected kernels, configs, and mitigations

  • Vulnerable kernel versions: approx. 5.14 through 6.6, excluding specific patched sub-versions (5.15.149+, 6.1.76+, 6.6.15+).
  • Exploit requires:
    • CONFIG_NF_TABLES=y (nf_tables enabled),
    • CONFIG_USER_NS=y with unprivileged user namespaces allowed (e.g., kernel.unprivileged_userns_clone = 1 on some distros),
    • For 6.4–6.6, CONFIG_INIT_ON_ALLOC_DEFAULT_ON must be n or exploit fails.
  • A hardening option CONFIG_INIT_ON_FREE_DEFAULT_ON reportedly breaks the exploit but is not enabled by most distros due to performance concerns (zeroing on free).

Containers, namespaces, and sandboxing

  • Exploit relies on namespace root to interact with nf_tables.
  • It is suggested that LXC and privileged Docker containers may be exploitable; unprivileged Docker containers likely are not, because they generally can’t create user namespaces.
  • Some note that browser and app sandboxes (Chrome, Electron, Flatpak/Bubblewrap) rely on user namespaces or suid helpers, highlighting a trade-off between sandboxing and kernel attack surface.

Distro impact and patching

  • Debian and Ubuntu are confirmed affected when running vulnerable kernels with unprivileged namespaces enabled; patches were pushed weeks before the PoC.
  • Ubuntu security advisory lists fixed kernel versions for LTS releases (e.g., Focal 5.4.0-174, Jammy 5.15.0-101, Mantic 6.5.0-26).
  • Some warn that users may have delayed kernel updates due to unrelated regressions (e.g., Nvidia issues).

Exploit reliability and user reports

  • Several users report the PoC failing cleanly on patched or hardened systems; others report system freezes or lockups on vulnerable kernels, VMs, and WSL.
  • Error messages like “failed to detect overwritten pte… is more PTE spray needed?” are reported and noted as expected on certain Ubuntu kernels where mitigations block the exploit.

Broader debates: security model, ethics, and difficulty

  • Strong debate over enabling unprivileged user namespaces by default: valuable for sandboxing vs. repeatedly exposing root-only kernel APIs to untrusted code.
  • Some argue single-user desktops gain more from sandboxes than from strict user/root separation; others emphasize root separation still matters (e.g., firmware compromise).
  • Ethical discussion contrasts public disclosure/CTF bounties with selling to offensive exploit brokers; some praise community-oriented disclosure.
  • Commenters discuss how modern mitigations (ASLR, canaries, KASLR) make exploitation harder but not impossible, especially for well-funded or highly skilled teams.