Linux nftables vulnerability exploited in the wild (CrowdStrike)

According to CrowdStrike, avulnerability in the Linux kernel's nftables codethat was discovered earlier thisyear is being actively exploited in the wild. The vulnerability allows forlocal privilege escalation. Most distributions have already released a fix.

As noted by the exploit developer, leveraging this POC is dependent on thekernel's unprivileged user namespaces feature accessing nf_tables. This accessis enabled by default on Debian, Ubuntu and kernel capture-the-flag (CTF)distributions. An attacker can then trigger the double-free vulnerability, scanthe physical memory for the kernel base address, bypass kernel address-spacelayout randomization (KASLR) and access the modprobe_path kernel variable withread/write privileges. After overwriting the modprobe_path, the exploit drops aroot shell.