nf_tables Use-After-Free to Local Root

This is an analysis of a public, patched, third-party CVE, written as a portfolio example. It does not represent original discovery by Goldberg Security Research.

Summary

nf_tables is the modern packet-classification framework behind nftables, the successor to iptables. CVE-2024-1086 is a use-after-free triggered by a logic error in how a hook verdict is validated. An unprivileged local user who can create network namespaces (enabled by default on most distributions via unprivileged user namespaces) can reach the vulnerable code, corrupt kernel heap memory, and escalate to root.

Root Cause

A netfilter hook returns a verdict — NF_ACCEPT, NF_DROP, etc. The function nft_verdict_init() incorrectly accepted positive values as a "drop error" within the verdict. Downstream, nf_hook_slow() would then process an NF_DROP carrying a drop-error value that looks like NF_ACCEPT:

// Conceptually: the verdict's "drop error" was not constrained,
// so a crafted positive value caused the drop path to be handled
// as if the packet were accepted -> the same skb is freed twice.

if (verdict == NF_DROP) {
    err = ...;               // attacker-influenced drop error
    kfree_skb_reason(skb);   // first free on the drop path
    // ...but control flow also treats it like NF_ACCEPT,
    // leading the caller to use/free the skb again.
}

The result is a double-free of an sk_buff, which collapses into a classic use-after-free: the freed object is reclaimed by another allocation, and the dangling reference lets the attacker control kernel memory.

Exploitation

The widely-cited public exploit (Notselwyn's "Flipping Pages") turns the double-free into a reliable root primitive without a single hardcoded address, defeating KASLR and modern mitigations. The high-level chain:

• Spray controlled objects so the freed sk_buff is reclaimed by an object the attacker controls.
• Use the dangling reference to pivot into a page-level UAF ("Dirty Pagedirectory"–style), giving arbitrary read/write over page tables.
• With page-table control, map and overwrite kernel structures to gain root and escape any sandbox.

Trigger requires CAP_NET_ADMIN in a user/network namespace — which an unprivileged user can create on default Ubuntu/Debian/Fedora configurations.

Impact

Full local privilege escalation to root from an unprivileged account. The flaw was added to CISA's Known Exploited Vulnerabilities catalog and has been observed in ransomware intrusions, making it a high-priority patch item for any multi-user or container host.

Remediation

• Patch the kernel to a fixed stable release (the fix landed in early 2024 and is backported).
• Disable unprivileged user namespaces if not required: sysctl -w kernel.unprivileged_userns_clone=0 (Debian/Ubuntu) or user.max_user_namespaces=0.
• Block nf_tables module loading where it isn't needed (modprobe blacklist / module signing policy).

Timeline

• 2014 — Vulnerable logic introduced.
• 2024-01-31 — Disclosed and patched in mainline.
• 2024-05-30 — Added to CISA KEV catalog.
• Late 2025 — Observed in active ransomware exploitation.

References

• NVD — CVE-2024-1086
• Notselwyn — "Flipping Pages: an analysis of a modern Linux kernel exploit"
• CrowdStrike — active exploitation analysis