CVE-2024-1086 is a Linux kernel local privilege escalation vulnerability in the netfilter nf_tables subsystem. The flaw is described as a use-after-free condition, with supporting technical detail indicating that nft_verdict_init() accepts positive values as a drop error in a hook verdict. As a result, when nf_hook_slow() processes an NF_DROP verdict with a drop error value that resembles NF_ACCEPT, kernel memory can be freed twice, leading to memory corruption and a use-after-free/double-free condition in the packet filtering path. Public reporting and advisories indicate the vulnerable code was introduced in 2014, affects a broad range of kernels including versions reported from 3.15 up to 6.8-rc1, and has been demonstrated on kernels in the 5.14 through 6.6 range. The issue is fixed upstream by commit f342de4e2f33e0e39165d8639387aa6c19dff660.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
6 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (7 hidden).
This repository is a real local privilege escalation exploit for CVE-2024-1086 in the Linux kernel nf_tables subsystem. It is not part of a common exploit framework; it is a standalone C project that builds a static binary named ./exploit using musl-gcc. The README states it targets vulnerable Linux kernels primarily in the v5.14-v6.6 range, with prerequisites including unprivileged user namespaces and nf_tables support, and it aims to provide a root shell after successful exploitation. Repository structure indicates the core exploit lives in src/main.c with supporting modules src/env.c, src/net.c, src/nftnl.c, and src/file.c, though those source contents were not included in the provided material. The Makefile shows the exploit is compiled statically and linked against bundled libmnl and libnftnl archives, strongly indicating the exploit interacts directly with Linux netlink/nf_tables interfaces to trigger the vulnerability. The repository also vendors a large set of fixed-version headers for libmnl, libnftnl, and Linux UAPI headers to ensure build compatibility across environments. Capabilities inferred from the README and build layout: local kernel exploitation, nftables/netlink manipulation, privilege escalation to root, and optional fileless execution of the compiled binary via memfd_create and /proc/self/fd. The README explicitly notes the exploit is intentionally unstable and may crash/panic the kernel after exploitation, which aligns with a proof-of-concept/operational LPE rather than a stealthy post-exploitation tool. Fingerprintable endpoints are mostly local file paths and build artifacts rather than remote C2 infrastructure. The only network-like observables in the provided content are documentation/reference URLs and an example placeholder download URL used in the README's fileless execution example. Based on the included headers and libraries, the actual exploit likely communicates with the kernel over local netlink sockets rather than external network services.
This repository is a real local privilege escalation exploit for CVE-2024-1086 in the Linux kernel nf_tables subsystem. It is not part of a larger exploit framework; it is a standalone C project that builds a static binary named ./exploit using musl-gcc. The Makefile shows the main codebase is split across src/main.c, src/env.c, src/net.c, src/nftnl.c, and src/file.c, indicating a modular design with an entry point, environment preparation, networking/netlink handling, nftables object/message construction, and file/helper routines. The repository structure is dominated by vendored headers for libmnl, libnftnl, and Linux UAPI headers pinned to specific versions for build compatibility. This strongly suggests the exploit directly crafts and sends netlink messages to the kernel netfilter/nf_tables subsystem rather than relying on shell commands or external tools. The included static libraries ./lib/libmnl.a and ./lib/libnftnl.a are referenced by the Makefile for fully static linking. The README describes the exploit as a universal PoC for vulnerable Linux kernels, especially Debian, Ubuntu, and KernelCTF images, with a high success rate in KernelCTF. Capability-wise, the exploit performs local kernel exploitation to obtain root privileges and a working root shell. It requires a local foothold on the target machine and depends on specific kernel features being enabled: unprivileged user namespaces and nf_tables. The README explicitly states the exploit is intentionally unstable and may crash/panic the kernel after successful exploitation, which the author frames as a deliberate limitation to reduce malicious operational use. This means the exploit is operational and weapon-capable in the sense that it achieves privilege escalation, but it is still presented as a PoC with deliberate instability. No remote C2, hardcoded IPs, or external service URLs used for exploitation are visible in the provided content. The meaningful fingerprintable targets are local/kernel-facing: the exploit binary path, source/config paths, the sysctl kernel.unprivileged_userns_clone, and the kernel subsystems/features it depends on, especially nf_tables over netlink. Overall, the repository’s purpose is to provide a portable, statically linked Linux local privilege escalation PoC for CVE-2024-1086 using direct netfilter/netlink interactions.
This repository is a C-based exploit targeting the Linux kernel's nftables/netfilter subsystem, likely for privilege escalation or firewall bypass. The project is structured with a Makefile that compiles several C source files (main.c, env.c, net.c, nftnl.c, file.c) into a statically linked binary named 'exploit'. The repository includes custom versions of libmnl and libnftnl headers and static libraries, as well as Linux kernel headers (6.1.72), to ensure compatibility and portability. The exploit interacts with netlink sockets and manipulates nftables rules, indicating a local attack vector. No hardcoded network endpoints, IPs, or domains are present; all endpoints are local files or system interfaces. The code is operational and not a detection script or fake exploit, but the actual payload and exploit details are not visible in the provided content. The exploit is a proof-of-concept (POC) and requires local access to a Linux system with nftables/netfilter support.
This repository provides a working local privilege escalation exploit for CVE-2024-1086, a double-free vulnerability in the Linux kernel's netfilter/nftables subsystem (notably affecting kernel 6.3.x). The main exploit is implemented in 'exp.c', which orchestrates namespace setup, network configuration, and a series of memory and netfilter manipulations to achieve kernel memory corruption. The exploit ultimately overwrites the modprobe_path or usermodehelper_path, allowing execution of a shell as root. Supporting files in the 'tests/' directory include C programs for page table spraying and overlap testing, as well as a kernel patch for debugging page table allocations. The exploit requires specific kernel configuration options and is intended for educational or research use. Key fingerprintable endpoints include '/sbin/modprobe', '/sbin/usermode-helper', and several /proc/self/* files used for namespace manipulation. The exploit is operational, providing a real privilege escalation payload, and is not a detection script or a fake exploit.
This repository is a Proof-of-Concept (PoC) local privilege escalation exploit for CVE-2024-1086, targeting the Linux kernel's nftables subsystem. The exploit is written in C and is designed to work on most Linux kernels from v5.14 to v6.6 (excluding patched branches), with the underlying vulnerability present from v3.15 to v6.8-rc1. The repository includes a Makefile for building the exploit statically using musl-gcc, with custom header and library files for compatibility. The main output is a binary named 'exploit', which, when executed on a vulnerable system, spawns a root shell. The README provides detailed usage instructions, configuration caveats, and a Perl-based fileless execution method for stealthy exploitation. The exploit requires specific kernel configurations (user namespaces, nf_tables) and is primarily tested on x64/amd64 platforms. The repository structure includes source code, build scripts, and bundled headers for libmnl, libnftnl, and Linux kernel UAPI, but the core exploit logic resides in the C source files under 'src/'. No network or remote attack vector is present; exploitation is strictly local. The exploit is operational as a PoC and does not include weaponized features such as payload customization or remote delivery.
This repository provides a Docker-based environment to build and test a local privilege escalation exploit for CVE-2024-1086, a Linux kernel vulnerability. The repository itself does not contain the exploit code, but instead clones it from https://github.com/Notselwyn/CVE-2024-1086. The Dockerfile sets up a Rocky Linux 9.3 container, installs necessary build tools, compiles musl, and builds the exploit. The container is run with elevated privileges (privileged mode, SYS_ADMIN capability, seccomp disabled) to allow the exploit to function. The README demonstrates usage, showing that running the exploit binary inside the container can result in a root shell, and in some cases, may cause the container to reboot. The main attack vector is local privilege escalation within a Linux environment. The only fingerprintable endpoints are the external GitHub repository for the exploit code and the /etc/shadow file used to demonstrate privilege escalation. The repository structure is minimal, containing only a Dockerfile, a README, and a Docker Compose file to orchestrate the environment.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
60 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Linux kernel nf_tables use-after-free vulnerability listed in CISA's Known Exploited Vulnerabilities catalog.
A previously published Linux kernel vulnerability referenced as an example of an N-day exploit target with existing public exploitation walkthroughs.
A previously published Linux kernel vulnerability referenced as an example of an N-day exploit target with existing public exploitation walkthroughs.
A Linux vulnerability that CISA KEV’s knownRansomwareCampaignUse field silently flipped to Known during 2025 (evidence of ransomware campaign use).
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.