Linux Kernel Exploit Published for Critical nftables Bug

A proof-of-concept (PoC) exploit has been released for CVE-2024-26809, a critical vulnerability affecting the Linux kernel’s nftables subsystem. The flaw, which allows local privilege escalation, stems from a double-free bug in the nft_pipapo_destroy() function of the netfilter module. Exploiting this involves manipulating overlapping elements in the nft_set_pipapo structure, corrupting the kernel heap and enabling attackers to hijack execution flow.

The exploit targets the kmalloc-256 cache, using heap spraying and Return-Oriented Programming (ROP) to gain root access. It bypasses common mitigations by reclaiming freed memory and leaking kernel addresses via crafted nftables objects.

Linux kernel versions 5.15.54 and above, including 6.1 and 6.6 LTS branches, are affected. Major distributions such as Debian, Ubuntu and SUSE have issued patches. Administrators are urged to update immediately. The public release of an exploit raises the risk of attacks against unpatched systems in production environments.