LK-NETFILTER-UAFPrivilege Escalation

netfilter / nf_tables UAF

Repeating nf_tables bugs (CVE-2022-32250 / 2023-32233 / 2024-1086) — UAF in nft objects, kernel R/W primitive, root via cred-struct overwrite.

§ Where this technique fits

LK-NETFILTER-UAF is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

nf_tables UAF → kernel R/W → root
CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.
step 3 / 7

§ What commonly comes next

01
userfaultfd Race
LK-USERFAULTFD · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

nf_tables UAF → kernel R/W → root

§ What commonly comes next