CVE-2024-26809: Linux Kernel Privilege Escalation Flaw

CVE-2024-26809 Overview

CVE-2024-26809 is a Linux kernel vulnerability in the nft_set_pipapo component of netfilter's nf_tables subsystem. The flaw allows elements in a cloned lookup table to be destroyed twice when the set is torn down. A local attacker with privileges to manipulate nftables can trigger a double-free condition, leading to kernel memory corruption and denial of service. The issue was resolved by ensuring that elements in the clone are only released from the destroy path, leveraging the clone's current view of the lookup table.

Critical Impact

Local users with nftables privileges can trigger kernel-level memory corruption resulting in system crash or potential further exploitation of freed memory structures.

Affected Products

• Linux Kernel (multiple stable branches prior to the fix commits)
• Debian Linux 10.0
• Distributions shipping vulnerable Linux kernel builds with nftables enabled

Discovery Timeline

• 2024-04-04 - CVE-2024-26809 published to NVD
• 2025-03-19 - Last updated in NVD database

Technical Details for CVE-2024-26809

Vulnerability Analysis

The vulnerability resides in nft_set_pipapo, the netfilter implementation of the PIPAPO (PIle PAcket POlicies) set lookup algorithm used for efficient packet classification. The pipapo set type maintains a clone of its lookup table to support concurrent commit and abort paths in the nf_tables transaction protocol.

Before the fix, the destroy path could release elements that had already been released through another code path, producing a double-free [CWE-415-class] condition on kernel slab objects. The corrupted allocator state can crash the kernel or be leveraged to corrupt adjacent objects.

Exploitation requires local access and the CAP_NET_ADMIN capability within a user or network namespace, which is reachable on many distributions where unprivileged user namespaces are enabled.

Root Cause

The root cause is incorrect ownership of set elements during destruction. The clone produced by the pipapo commit protocol already reflects the current view of the lookup table. The original destroy path also iterated over elements that the clone owned, causing the same elements to be freed twice. The fix ensures the destroy path releases elements only via the clone, eliminating the duplicate free.

This fix depends on commit 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol"), which followed commit 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from abort path").

Attack Vector

A local attacker creates an nftables ruleset that builds a pipapo set, then issues transactions that exercise the destroy path on a cloned set. Repeated abort and destroy operations can race element release across the original and cloned views, triggering the double-free. The result is kernel memory corruption that typically manifests as a panic or BUG: KASAN report, with potential for further exploitation through slab heap manipulation.

No public exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

See the upstream patch commits, including git.kernel.org commit b36b8329 and git.kernel.org commit ff900507, for the precise code-level changes.

Detection Methods for CVE-2024-26809

Indicators of Compromise

• Kernel oops, panic, or BUG: KASAN: double-free messages referencing nft_pipapo or nft_set_pipapo symbols in dmesg.
• Unexpected restarts of hosts running netfilter-based firewalls or container hosts using nftables-backed network policies.
• Audit records showing unprivileged processes invoking NFNL_SUBSYS_NFTABLES operations that create or destroy pipapo sets.

Detection Strategies

• Inventory running kernels against the patched stable versions listed in the kernel.org commit references and flag hosts on older revisions.
• Monitor auditd rules for setsockopt and sendmsg operations on AF_NETLINK sockets bound to NETLINK_NETFILTER by non-root users.
• Hunt for processes creating nftables sets with type pipapo outside of expected firewall management tooling.

Monitoring Recommendations

• Centralize kernel logs and alert on slab allocator warnings, KASAN reports, and crashes mentioning netfilter symbols.
• Track use of unprivileged user namespaces (kernel.unprivileged_userns_clone) since this is the most common path to CAP_NET_ADMIN for local users.
• Correlate sudden host reboots with preceding netlink activity to identify probing or exploitation attempts.

How to Mitigate CVE-2024-26809

Immediate Actions Required

• Update the Linux kernel to a stable release containing one of the fix commits referenced on git.kernel.org for this CVE.
• Apply the Debian security update described in the Debian LTS Announcement on Debian 10 hosts.
• Reboot affected systems after patching to ensure the fixed kernel image is loaded.

Patch Information

The issue is resolved across multiple stable kernel branches by the commits 362508506bf5, 5ad233dc731a, 821e28d5b506, 9384b4d85c46, b0e256f3dd2b, b36b83297ff4, and ff9050077141. Each commit constrains pipapo element destruction to the clone path, eliminating duplicate frees. Distribution-specific kernels should be updated to the vendor-supplied release that incorporates these fixes.

Workarounds

• Restrict creation of user and network namespaces by setting kernel.unprivileged_userns_clone=0 where supported, reducing access to CAP_NET_ADMIN for unprivileged users.
• Disable or restrict the nf_tables module on hosts that do not require nftables-based firewalling using module blacklisting.
• Limit local shell access on multi-tenant systems and container hosts until kernels are patched.

# Configuration example: disable unprivileged user namespaces and verify kernel version
sudo sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' | sudo tee /etc/sysctl.d/99-cve-2024-26809.conf
uname -r
# Optional: prevent nf_tables from loading if unused
echo 'install nf_tables /bin/true' | sudo tee /etc/modprobe.d/disable-nf_tables.conf