CISA warns of actively exploited old Linux kernel vulnerability
Take action: If you run Linux servers or systems, plan an update to your kernel or rebuild from latest version. Ransomware groups are actively exploiting this flaw to gain complete control of systems once they gain initial access. As usual, strong passwords, network isolation and awareness of social engineering are a must. If you can't update right away, blocklist the nf_tables module and restrict access to user namespaces until you can patch.
Learn More
CISA issued an urgent alert on Thursday, October 31, 2025, reporting that ransomware groups are actively exploiting a high-severity privilege escalation vulnerability in the Linux kernel. T
The vulnerability is tracked as CVE-2024-1086 (CVSS score 7.8) is a use-after-free weakness residing in the netfilter: nf_tables component of the Linux kernel, which manages packet filtering, network address translation (NAT), and other packet manipulation functions. The flaw occurs due to improper memory management in the nft_verdict_init() function, which incorrectly allows positive values as drop errors in the hook verdict, subsequently leading to a double-free error. This vulnerability enables attackers who have already gained local access to a system to escalate their privileges from regular user level to root-level access, potentially achieving complete control over compromised devices.
The vulnerability was publicly reported on January 31, 2024 but it was first introduced into the Linux kernel by a commit made in February 2014, making it a decade-old flaw that has existed undetected for years.
Linux kernel versions from v3.15 up to v6.8-rc1 are vulnerable to CVE-2024-1086. This includes major Linux distributions such as:
- Debian (various versions using affected kernel versions)
- Ubuntu (various versions using affected kernel versions)
- Fedora (various versions using affected kernel versions)
- Red Hat Enterprise Linux (various versions using affected kernel versions)
The vulnerability has been confirmed exploitable on Linux kernel versions between 5.14 and 6.6, with available proof-of-concept exploits.
The vulnerability was addressed in kernel patches released in February 2024. Organizations should upgrade to patched kernel versions that include the fix committed to the mainline Linux kernel. The official kernel patch can be found at: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660
Individual Linux distribution vendors have released their own patched versions incorporating this fix. Organizations must consult their specific Linux distribution vendor for appropriate patched kernel versions and security advisories.
According to threat intelligence reports, ransomware threat actors are chaining CVE-2024-1086 with social engineering tactics and other exploitation techniques to gain initial access to systems, escalate privileges to root level, disable security controls, and then deploy ransomware payloads to encrypt files and exfiltrate data before demanding cryptocurrency ransoms.
Organizations that cannot immediately apply patches are strongly advised by CISA to implement the following mitigations to reduce the attack surface:
- Blocklist nf_tables: If the nf_tables functionality is not needed or actively used in the environment, organizations should blocklist the nf_tables module to prevent exploitation of this vulnerability.
- Restrict access to user namespaces: Limiting access to user namespaces reduces the attack surface by restricting the conditions necessary for exploitation, as the vulnerability requires unprivileged user namespaces to be accessible.
- Deploy Linux Kernel Runtime Guard (LKRG): Loading the LKRG module can provide additional protection, though organizations should be aware this mitigation may cause system instability in some configurations and should be thoroughly tested before production deployment.
