438/68 Monday, November 3, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially confirmed that a high-severity vulnerability in the Linux kernel (tracked as CVE-2024-1086) is now being actively exploited by ransomware groups. Although the flaw was disclosed and patched in January 2024, investigations have revealed that it stems from a long-standing “use-after-free” bug in the component netfilter: nf_tables, with the vulnerable code having existed in the Linux kernel for nearly a decade-since February 2014.
The critical danger of CVE-2024-1086 lies in its ability to allow attackers with local user access to escalate privileges to root, gaining full administrative control over affected systems. Once root privileges are obtained, attackers can disable security mechanisms, modify files, install malware, steal sensitive data, or move laterally across networks. The vulnerability affects multiple major Linux distributions—including Debian, Ubuntu, Fedora, and Red Hat—running kernel versions 3.15 through 6.8-rc1.
CISA added this flaw to its Known Exploited Vulnerabilities (KEV) catalog in May 2024 and has mandated that all U.S. federal agencies patch affected systems by June 20, 2024. The agency emphasized that such vulnerabilities are “frequently exploited attack vectors” posing “significant risk” to unpatched systems. CISA recommends immediate mitigation measures for administrators unable to apply patches, such as disabling ‘nf_tables’ if not in use or restricting access to user namespaces to reduce the overall attack surface.
