CVE-2024-26809

Published Apr 4, 2024

Last updated a year ago

CVSS medium 5.5
Linux Kernel

Overview

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol") which came after: 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from abort path").
Source
416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD status
Analyzed
Products
linux_kernel, debian_linux

Risk scores

CVSS 3.1

Type
Primary
Base score
5.5
Impact score
3.6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Severity
MEDIUM

Weaknesses

nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score
Not currently trending

  1. #Linux #Vulnerability PoC Released: CVE-2024-26809 Exploits nftables Double-Free to Achieve Root Shell https://t.co/S2JYIri86W

    @Komodosec

    6 Jul 2025

    71 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Linux Kernel hit as PoC exploit for critical nftables flaw CVE-2024-26809 opens door to full root access via double-free attack. #LinuxSecurity #CVE202426809 #KernelExploit https://t.co/qwgN8J0KvR

    @CyberSecTV_eu

    27 May 2025

    75 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. ادمین های سرورهای لینوکسی توجه کنید . به تازگی آسیب پذیری جدیدی با کد شناسایی CVE-2024-26809 و از نوع privilege escalation و RCE برای فایروال nftables در لینوکس منتشر شده است. کر

    @AmirHossein_sec

    18 May 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Linuxカーネルのnftablesにおける二重解放の脆弱性CVE-2024-26809に対応するPoC(攻撃の概念実証コード)が公表された。nft_pipapo_destroy()の実装における不備。ヒープスプレー及びROPチェーンとの組み合わせでrootへの

    @__kokumoto

    12 May 2025

    2083 Impressions

    6 Retweets

    27 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2024-26809: Critical nftables Vulnerability in Linux Kernel Could Lead to Root Access https://t.co/sytmVFZmY6 A critical security flaw has been discovered in the Linux kernel's nftables subsystem, which is responsible for packet filtering in modern Linux distributions. Th

    @f1tym1

    12 May 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🔥 PoC Exploit Released for Linux Kernel’s nftables Subsystem Vulnerability | Read more: https://t.co/5ktwmzmkhN A critical Proof-of-Concept (PoC) exploit has been released for a significant vulnerability in the Linux kernel’s nftables subsystem, tracked as CVE-2024-26809.

    @The_Cyber_News

    12 May 2025

    487 Impressions

    1 Retweet

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  7. 🚨 Double Trouble: How #CVE-2024-26809 Exposes #Linux Systems to Local Privilege Escalation https://t.co/30IexlJTNU

    @UndercodeNews

    12 May 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 📌 Double-free vulnerability in Linux nftables kernel (CVE-2024-26809) allows attackers to gain root privileges. #CyberSecurity #Linux https://t.co/xmzj5qEQWr https://t.co/lAWd1AuGYQ

    @CyberHub_blog

    12 May 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. PoC Released: CVE-2024-26809 Exploits nftables Double-Free to Achieve Root Shell https://t.co/yd1L3xNBls

    @Dinosn

    12 May 2025

    3261 Impressions

    6 Retweets

    20 Likes

    12 Bookmarks

    0 Replies

    0 Quotes

  10. Linuxカーネルのnftablesサブシステム(net/netfilterモジュール)において、CVE-2024-26809として追跡される深刻な脆弱性が発見された。 これは、nft_pipapo_destroy()関数におけるダブルフリーの不具合で、特定条件下で同

    @yousukezan

    12 May 2025

    1536 Impressions

    0 Retweets

    8 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  11. 🗣️ PoC Released: CVE-2024-26809 Exploits nftables Double-Free to Achieve Root Shell https://t.co/aQSDECIx09

    @fridaysecurity

    12 May 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. PoC Released: CVE-2024-26809 Exploits nftables Double-Free to Achieve Root Shell https://t.co/q9upPy6eMe

    @the_yellow_fall

    12 May 2025

    1428 Impressions

    12 Retweets

    13 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  13. Top 5 Trending CVEs: 1 - CVE-2025-3776 2 - CVE-2024-26809 3 - CVE-2025-46337 4 - CVE-2025-26529 5 - CVE-2025-32433 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    4 May 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. [1day1line] CVE-2024-26809: Linux Kernel Netfilter Use-After-Free Leading to LPE Vulnerability https://t.co/VRDkQhkeAg This NetFilter LPE vulnerability was submitted to KernelCTF. It's quite a complex vulnerability...

    @hackyboiz

    3 May 2025

    2205 Impressions

    14 Retweets

    61 Likes

    16 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. In the Linux kernel, the following vulnerability has been resolved: ksmbd: add chann_lock to protect ksmbd_chann_list xarray ksmbd_chann_list xarray lacks synchronization, allowing use-after-free in multi-channel sessions (between lookup_chann_list() and ksmbd_chann_del). Adds rw_semaphore chann_lock to struct ksmbd_session and protects all xa_load/xa_store/xa_erase accesses.CVE-2026-23226
  2. MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.CVE-2026-25506
  3. In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() returns it -> __iommu_unmap() adds it to iova address -> iommu_pgsize() triggers BUG_ON due to corrupted iova This can cause IOVA address overflow in __iommu_unmap() loop and trigger BUG_ON in iommu_pgsize() from invalid address alignment. Fix by returning 0 instead of -ENOENT. The WARN_ON already signals the error condition, and returning 0 (meaning "nothing unmapped") is the correct semantic for size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions.CVE-2026-23067
  4. In the Linux kernel, the following vulnerability has been resolved: spi: spi-sprd-adi: Fix double free in probe error path The driver currently uses spi_alloc_host() to allocate the controller but registers it using devm_spi_register_controller(). If devm_register_restart_handler() fails, the code jumps to the put_ctlr label and calls spi_controller_put(). However, since the controller was registered via a devm function, the device core will automatically call spi_controller_put() again when the probe fails. This results in a double-free of the spi_controller structure. Fix this by switching to devm_spi_alloc_host() and removing the manual spi_controller_put() call.CVE-2026-23068
  5. In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix potential underflow in virtio_transport_get_credit() The credit calculation in virtio_transport_get_credit() uses unsigned arithmetic: ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes are in flight, the subtraction can underflow and produce a large positive value, potentially allowing more data to be queued than the peer can handle. Reuse virtio_transport_has_space() which already handles this case and add a comment to make it clear why we are doing that. [Stefano: use virtio_transport_has_space() instead of duplicating the code] [Stefano: tweak the commit message]CVE-2026-23069

References

Sources include official advisories and independent security research.