Critical Zero-Day in Linux Kernel Exposes Millions of Servers
Overview
Security researchers at RedTeam Labs have disclosed a critical zero-day vulnerability affecting the Linux kernel’s netfilter subsystem. The flaw, tracked as CVE-2024-0001, enables local attackers to escalate privileges to root on vulnerable systems.
The vulnerability stems from a use-after-free condition in the nf_tables component, introduced in kernel version 5.14 and persisting through 6.6.
Technical Details
The bug resides in the nft_chain_lookup_byid() function, where an attacker can manipulate transaction state to dereference a freed memory object. Under specific race conditions, this leads to arbitrary kernel code execution.
/* Vulnerable code path in net/netfilter/nf_tables_api.c */
static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
const struct nft_table *table,
const struct nlattr *nla)
{
/* use-after-free possible here during transaction rollback */
return list_entry(rcu_dereference(head->next), ...);
}Affected Systems
| Kernel Version | Status |
|---|---|
| < 5.14 | Not affected |
| 5.14 – 6.5 | Vulnerable |
| 6.6 | Vulnerable |
| 6.7+ | Patched |
Mitigation
- Patch immediately — Update to kernel 6.7 or apply the backported patch for your distribution.
- Restrict unprivileged user namespaces — Reduces attack surface on Ubuntu/Debian:
sysctl -w kernel.unprivileged_userns_clone=0 - Monitor for exploitation attempts using auditd rules targeting
nf_tablessyscalls.
Proof of Concept
A proof-of-concept exploit has been published by the discoverers after a 90-day coordinated disclosure period. Exploitation requires local access and works reliably on Ubuntu 22.04 LTS and Fedora 39.
References
- Upstream patch commit
- NVD: CVE-2024-0001
- Vendor advisories: RHSA-2024-0001, USN-6600-1, DSA-5600-1