1. Home
  2. Latest Cyber Updates and blog by Cyberdudebivash
  3. CVE-2024-26809 # Linux kernel’s nftables subsystem Vulnerability

CVE-2024-26809 # Linux kernel’s nftables subsystem Vulnerability

12 May
12May

A vulnerability has been discovered in the Linux kernel’s nftables subsystem, specifically within the net/netfilter module, that could allow attackers to achieve local privilege escalation through a double-free vulnerability in nft_pipapo_destroy(). Tracked as CVE-2024-26809, the flaw impacts kernel versions 6.1-rc1 and later, as well as 5.15.54 and later.
This vulnerability originates from a logic flaw in the destruction process of pipapo sets, which are used in nftables for packet filtering. Under specific conditions, an element may exist in both match and clone, and the function attempts to free them twiceβ€”resulting in memory corruption.

The Method in suspect ->


static void nft_pipapo_destroy(const struct nft_ctx *ctx,                      const struct nft_set *set){     struct nft_pipapo *priv = nft_set_priv(set);     struct nft_pipapo_match *m;     int cpu;      m = rcu_dereference_protected(priv->match, true);     if (m) {          ...          nft_set_pipapo_match_destroy(ctx, set, m);          ...     }      if (priv->clone) {          m = priv->clone;           if (priv->dirty)               nft_set_pipapo_match_destroy(ctx, set, m);     ...


incorrectly calls nft_set_pipapo_match_destroy() twice on overlapping memory regions when the dirty flag is set. The overlap occurs because a set element may simultaneously belong to both match and clone.The exploit for CVE-2024-26809 involves heap grooming and manipulation using the kernel’s object cache system (specifically kmalloc-256). The attacker strategically allocates and frees memory to:

  • Overlap nftables objects
  • Leak kernel addresses
  • Hijack function pointers (such as expr->ops->dump)
  • Execute ROP gadgets to gain root privileges

β€œAfter completing the stack migration, we can run ROPgadget and finally get the root shell,” the analysis states.The attack demonstrates an advanced understanding of kernel memory structures and showcases how subtle memory bugs can be weaponized for full system compromise.A working Proof-of-Concept (PoC) exploit is available, illustrating how the vulnerability can be chained to gain kernel code execution.The vulnerability was addressed by this commit. Users of affected kernel versions are strongly advised to update their systems to include this patch to mitigate the risk posed by CVE-2024-26809.

Cyber Security Vulnerability Linux Kernel Bivash_Nayak Cyberdudebivash
18Mar
23,000 GitHub Repositories Targeted In Supply Chain Attack
18Mar
Cybersecurity in Moon Exploration
18Mar
AI Code Editors has been used to trigger New 'Rules File Backdoor' Attack
Comments
* The email will not be published on the website.