CVE-2024-26581 PoC Exploit Released: Linux Systems at Risk of Root Compromise

by do son · September 5, 2024

The security researchers have publicly disclosed technical details and proof-of-concept (PoC) exploit code for a CVE-2024-26581 (CVSS 7.8) vulnerability within the Linux kernel. The flaw poses a serious risk, allowing local authenticated attackers to obtain sensitive information from affected systems.

The vulnerability resides within the nft_set_rbtree function, responsible for managing sets in nftables. An attacker can trigger this flaw by sending a specially crafted request, resulting in the unauthorized disclosure of an “end interval element” during a transaction. This leaked information could then be exploited for further malicious activities.

Linux kernel versions 6.1.9 and later, 5.15.91 and later, and 5.10.166 and later are confirmed to be susceptible to this vulnerability.

while (prev) {
        rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node);
        if (nft_rbtree_interval_end(rbe_prev) &&
        nft_set_elem_active(&rbe_prev->ext, genmask))
            break;
        prev = rb_prev(prev);
    }

The core issue lies in the nft_rbtree_gc_elem function, which lacks a crucial check on the ‘setelement’ referenced by ‘prev’. This omission can trigger a use-after-free condition, a scenario where memory that has been deallocated is inadvertently accessed, leading to unpredictable behavior and potential security breaches.

Specifically, the vulnerability occurs during the rollback of a transaction in the nftables framework. When an error is detected, the rollback mechanism (nf_tables_abort) is triggered, leading to the potential double deletion of a set element. This flaw is exacerbated if the attacker manages to insert a set element with the NFTA_SET_ELEM_EXPIRATION and NFTA_SET_ELEM_TIMEOUT flags, followed by another element with the NFT_SET_ELEM_INTERVAL_END flag, before triggering an error condition.

Detailed exploitation steps and a proof-of-concept (PoC) exploit code for CVE-2024-26581 have been publicly released, demonstrating the feasibility of leveraging this vulnerability for information leakage. By chaining this initial exploit with carefully crafted subsequent attacks, an attacker could potentially escalate their privileges to the root level, gaining full control over the affected system.

System administrators are urged to review their kernel versions and apply any available updates or patches. Additionally, monitoring for suspicious activity related to nftables and implementing additional security measures, such as limiting local access and using security modules like SELinux, can help mitigate the risk.