Linux nftables flaw CVE-2023-31248 enables local root via use-after-free
Researchers detailed exploitation of CVE-2023-31248 in the Linux kernel's nftables subsystem, showing how a chain lookup flaw can let local attackers gain root privileges. The bug exists because nft_chain_lookup_byid did not verify whether a chain was still active through genmask checks, allowing rules in a batch transaction to reference chains deleted in the same batch. That logic error can trigger a use-after-free when rule deletion in the control plane races with asynchronous transaction-worker cleanup, creating a path to reclaim freed memory and corrupt kernel objects.
The write-up demonstrates an exploit on Ubuntu 23.04 with kernel 6.2.0-20-generic, using heap sprays and information leaks to recover kernel text and heap addresses before forging nftables structures and building a ROP chain that invokes prepare_kernel_cred and commit_creds to obtain a root shell. Researchers said kernels before 6.2.0-26-generic were vulnerable, while upstream fixes added genmask validation to chain-by-ID lookups so inactive chains cannot be referenced. The same research also described a separate dormant-state chain hook deactivation bug that can trigger kernel warnings but was assessed as not practically exploitable and patched by blocking repeated dormant-state toggles within a single batch.
Timeline
Sep 25, 2023
STAR Labs publishes exploit analysis for CVE-2023-31248
STAR Labs published a technical write-up showing how CVE-2023-31248 could be exploited on Ubuntu 23.04 with kernel 6.2.0-20-generic to gain RIP control and obtain a root shell. The article also documented a separate dormant-state chain hook deactivation bug that appeared to cause kernel warnings but was not considered practically exploitable.
Sep 25, 2023
Upstream fixes added for nftables dormant toggle bug and CVE-2023-31248
Upstream fixes were introduced for two nftables issues: one patch rejected repeated dormant-state toggles within a single batch transaction to stop erroneous hook deactivation warnings, and another added genmask validation to chain-by-ID lookups to prevent references to inactive chains. The write-up notes kernels before Ubuntu's 6.2.0-26-generic remained vulnerable to CVE-2023-31248.
Sep 25, 2023
Linux nftables chain lookup flaw enables local privilege escalation
CVE-2023-31248 was identified in the Linux kernel's nftables subsystem because nft_chain_lookup_byid did not verify whether a chain was still active via genmask checks. This allowed rules to reference chains deleted in the same batch transaction, creating a use-after-free condition that could be exploited for local privilege escalation.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Linux Kernel Privilege Escalation CVE-2026-31431 Draws Patch and PoC Activity
`CVE-2026-31431` is a Linux kernel flaw classified as **CWE-669: Incorrect Resource Transfer Between Spheres** that can enable local privilege escalation to root and, in some cases, bypass isolation boundaries. The Canadian Centre for Cyber Security warned that the impact becomes more severe when the bug is chained with a remote code execution vulnerability, and urged organizations to identify exposed systems, apply vendor fixes, reboot after kernel updates, restrict access, enforce kernel security controls, monitor logs, and segment high-risk or Internet-facing workloads. Vendor and community activity indicates broad exposure across modern Linux platforms. Red Hat lists **RHEL 8**, **RHEL 9**, **RHEL 10**, and corresponding `kernel-rt` packages as affected, while **RHEL 6** and **RHEL 7** are marked not affected because the vulnerable code is absent. Public exploit interest accelerated after Theori published the **"Copy Fail"** technical write-up and proof-of-concept repository, which references testing on **Ubuntu 24.04 LTS**, **Amazon Linux 2023**, **RHEL 10.1**, and **SUSE 16**; Rocky Linux also published related errata, signaling downstream patch availability in enterprise Linux ecosystems.
5 days ago
Ransomware Exploitation of Linux Kernel CVE-2024-1086 Privilege Escalation Flaw
CISA has confirmed that ransomware groups are actively exploiting a high-severity privilege escalation vulnerability in the Linux kernel, tracked as CVE-2024-1086. This use-after-free flaw, present in the netfilter: nf_tables component and introduced in 2014, was patched in January 2024 but remains a significant risk for unpatched systems. Successful exploitation allows attackers with local access to escalate privileges to root, enabling full system takeover, disabling of security defenses, installation of malware, and lateral movement within networks. The vulnerability affects a wide range of major Linux distributions, including Debian, Ubuntu, Fedora, and Red Hat, across kernel versions from 3.15 to 6.8-rc1. In March 2024, a security researcher published a detailed proof-of-concept exploit, further increasing the risk of widespread exploitation. CISA added CVE-2024-1086 to its Known Exploited Vulnerabilities (KEV) catalog in May 2024 and mandated that federal agencies secure affected systems by June 20, 2024. Despite the availability of a patch, ransomware campaigns have begun leveraging this flaw, though CISA has not disclosed specific threat actor identities or detailed attack campaigns. Security experts recommend immediate patching, or if not possible, implementing mitigations such as blocklisting 'nf_tables', restricting user namespace access, or loading the Linux Kernel Runtime Guard (LKRG) module. The public availability of exploit code and the broad impact across Linux environments underscore the urgency for organizations to address this vulnerability to prevent ransomware-driven compromise and data theft.
1 months ago
Linux Kernel POSIX Timer Use-After-Free Vulnerability (CVE-2025-38352) Exploited with Public PoC
A critical use-after-free vulnerability, tracked as CVE-2025-38352, has been identified in the Linux kernel's POSIX CPU timer implementation. The flaw arises from a race condition in the `handle_posix_cpu_timers()` function, which can be exploited when a process enters a zombie state and timer structures are prematurely freed while still in use. This vulnerability is particularly impactful on systems with `CONFIG_POSIX_CPU_TIMERS_TASK_WORK` disabled, notably affecting 32-bit Android kernels and Linux LTS 6.12.33. A proof-of-concept (PoC) exploit for CVE-2025-38352 has been publicly released, demonstrating how attackers can leverage the race condition to trigger kernel memory corruption and potentially escalate privileges locally. The exploit involves creating a POSIX CPU timer, forcing a thread into a zombie state, and deleting the timer at a critical moment to induce a use-after-free scenario. Successful exploitation is evidenced by KASAN memory sanitizer warnings, and the vulnerability poses a significant risk for local privilege escalation on affected Linux systems.
1 months ago