The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a high-severity privilege escalation vulnerability in the Linux kernel, known as CVE-2024-1086, is now being exploited by ransomware gangs. The flaw, a use-after-free issue in the netfilter: nf_tables component, was introduced in February 2014 and patched in January 2024. It affects major Linux distributions including Debian, Ubuntu, Fedora, and Red Hat.
On October 31, 2025, CISA updated its Known Exploited Vulnerabilities (KEV) catalog to flag CVE-2024-1086 as actively used in ransomware campaigns, though it provided no specifics on the attacks or responsible groups. The vulnerability enables local attackers to escalate privileges to root level, potentially allowing system takeover, disabling defenses, file modifications, malware installation, lateral network movement, and data theft.
Disclosed on January 31, 2024, the flaw was fixed through a kernel commit that month but stemmed from a change a decade earlier. In late March 2024, security researcher 'Notselwyn' released a detailed analysis and proof-of-concept exploit on GitHub, demonstrating privilege escalation on Linux kernels from versions 5.14 to 6.6. The issue impacts kernels from 3.15 to 6.8-rc1 across various distributions.
CISA added the vulnerability to its KEV catalog in May 2024—though one report suggests March 2024—and mandated federal agencies to patch by June 20, 2024. For unpatched systems, recommended mitigations include blocklisting the 'nf_tables' module if unused, restricting user namespace access, or loading the Linux Kernel Runtime Guard (LKRG) module, which may cause instability.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA stated. "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable."
Notselwyn noted challenges in exploitation: "When you try to reproduce the bug yourselves, the kernel may panic, even when all mitigations are disabled... I found a way to bypass all usage which could lead to a panic or usual errors and get a highly reliable double-free primitive."