Ransomware Exploitation of Linux Kernel CVE-2024-1086 Privilege Escalation Flaw
CISA has confirmed that ransomware groups are actively exploiting a high-severity privilege escalation vulnerability in the Linux kernel, tracked as CVE-2024-1086. This use-after-free flaw, present in the netfilter: nf_tables component and introduced in 2014, was patched in January 2024 but remains a significant risk for unpatched systems. Successful exploitation allows attackers with local access to escalate privileges to root, enabling full system takeover, disabling of security defenses, installation of malware, and lateral movement within networks. The vulnerability affects a wide range of major Linux distributions, including Debian, Ubuntu, Fedora, and Red Hat, across kernel versions from 3.15 to 6.8-rc1. In March 2024, a security researcher published a detailed proof-of-concept exploit, further increasing the risk of widespread exploitation.
CISA added CVE-2024-1086 to its Known Exploited Vulnerabilities (KEV) catalog in May 2024 and mandated that federal agencies secure affected systems by June 20, 2024. Despite the availability of a patch, ransomware campaigns have begun leveraging this flaw, though CISA has not disclosed specific threat actor identities or detailed attack campaigns. Security experts recommend immediate patching, or if not possible, implementing mitigations such as blocklisting 'nf_tables', restricting user namespace access, or loading the Linux Kernel Runtime Guard (LKRG) module. The public availability of exploit code and the broad impact across Linux environments underscore the urgency for organizations to address this vulnerability to prevent ransomware-driven compromise and data theft.
Timeline
Oct 31, 2025
CISA confirms CVE-2024-1086 is used in ransomware attacks
CISA said CVE-2024-1086 is being actively exploited in ransomware intrusions, marking a renewed escalation in the threat. Reports noted that attackers had found reliable exploitation methods without triggering kernel panics, but CISA did not release IOCs or further technical details.
Jun 20, 2024
Federal agencies ordered to secure CVE-2024-1086 by deadline
Following the KEV listing, CISA required federal civilian agencies to remediate or mitigate affected systems by June 20, 2024. Recommended measures included patching, blocklisting nf_tables, restricting user namespaces, or using LKRG where appropriate.
May 1, 2024
CISA adds CVE-2024-1086 to Known Exploited Vulnerabilities catalog
CISA added CVE-2024-1086 to its KEV catalog in May 2024 after confirming active exploitation. The agency warned that the bug posed significant risk to federal enterprises and other organizations.
Mar 1, 2024
Proof-of-concept exploit for CVE-2024-1086 is published
A public proof-of-concept exploit for CVE-2024-1086 was released in March 2024, increasing the likelihood of real-world abuse. The exploit demonstrated how local attackers could obtain root privileges on affected systems.
Mar 1, 2024
Researcher Notselwyn discloses technical details on CVE-2024-1086
Researcher Notselwyn identified and described the vulnerability and its exploitation characteristics, including difficulties reproducing the bug reliably. This public research helped clarify the impact on major Linux distributions.
Jan 1, 2024
Linux fixes CVE-2024-1086 in kernel updates
The Linux kernel vulnerability CVE-2024-1086 was fixed in January 2024. The flaw was a high-severity use-after-free issue in netfilter's nf_tables component.
Feb 1, 2014
Linux kernel bug CVE-2024-1086 introduced in nf_tables code
A Linux kernel commit introduced the nf_tables flaw later tracked as CVE-2024-1086. The bug affected kernel versions from 3.15 through 6.8-rc1 and enabled local privilege escalation to root.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Linux Kernel Privilege Escalation CVE-2026-31431 Draws Patch and PoC Activity
`CVE-2026-31431` is a Linux kernel flaw classified as **CWE-669: Incorrect Resource Transfer Between Spheres** that can enable local privilege escalation to root and, in some cases, bypass isolation boundaries. The Canadian Centre for Cyber Security warned that the impact becomes more severe when the bug is chained with a remote code execution vulnerability, and urged organizations to identify exposed systems, apply vendor fixes, reboot after kernel updates, restrict access, enforce kernel security controls, monitor logs, and segment high-risk or Internet-facing workloads. Vendor and community activity indicates broad exposure across modern Linux platforms. Red Hat lists **RHEL 8**, **RHEL 9**, **RHEL 10**, and corresponding `kernel-rt` packages as affected, while **RHEL 6** and **RHEL 7** are marked not affected because the vulnerable code is absent. Public exploit interest accelerated after Theori published the **"Copy Fail"** technical write-up and proof-of-concept repository, which references testing on **Ubuntu 24.04 LTS**, **Amazon Linux 2023**, **RHEL 10.1**, and **SUSE 16**; Rocky Linux also published related errata, signaling downstream patch availability in enterprise Linux ecosystems.
5 days ago
Ransomware Actors Exploit BeyondTrust Remote Support Flaw Targeting Healthcare
U.S. health-sector authorities warned hospitals and clinics to urgently patch a **critical vulnerability** in *BeyondTrust Remote Support* and *Privileged Remote Access* that can provide attackers an initial foothold and enable **unauthorized control** of affected appliances inside enterprise networks. The flaw is tracked as **CVE-2026-1731** and was highlighted to the healthcare and public health sector amid increased targeting of those organizations. **CISA** added CVE-2026-1731 to its **Known Exploited Vulnerabilities (KEV)** catalog and set an accelerated remediation deadline for federal agencies, later updating the entry to warn that **ransomware operators are actively exploiting** the issue. *Palo Alto Networks Unit 42* also reported observed in-the-wild exploitation, describing threat actors weaponizing the vulnerability to take control of appliances and expand access within victim environments, increasing risk to clinical networks if unpatched.
1 months ago
CISA Flags VMware ESXi CVE-2025-22225 as Exploited in Ransomware Campaigns
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) updated its Known Exploited Vulnerabilities (**KEV**) catalog to indicate that **CVE-2025-22225**, a high-severity VMware ESXi *VMX sandbox escape* flaw, is now **known to be used in ransomware campaigns**. Broadcom patched the issue in March 2025 as part of advisory `VMSA-2025-0004`, describing CVE-2025-22225 as an **arbitrary kernel write** reachable by an attacker with privileges in the `VMX` process, enabling escape from the VMX sandbox to the ESXi kernel. The same advisory also addressed two other zero-days—**CVE-2025-22224** (TOCTOU leading to out-of-bounds write/code execution as the VMX process) and **CVE-2025-22226** (HGFS out-of-bounds read/memory disclosure)—which Broadcom previously tagged as actively exploited in the wild. Reporting also tied the ESXi exploitation to earlier sophisticated activity: Huntress described Chinese-speaking threat actors leveraging access via a compromised SonicWall VPN to deliver tooling targeting VMware ESXi and chaining a VM escape technique that appeared to predate public disclosure of the March 2025 ESXi zero-days. Separately, GreyNoise research highlighted a broader KEV-catalog visibility gap, finding that CISA **quietly “flipped”** dozens of KEV entries during 2025 from “Unknown” to “Known” for ransomware use without prominent public notification—an approach that can materially affect enterprise prioritization when a vulnerability’s status changes to confirmed ransomware exploitation.
1 months ago