Detecting CVE-2024-1086: The decade-old Linux kernel vulnerability that's being actively exploited in ransomware campaigns

CVE-2024-1086 is a critical vulnerability in the Linux kernel's netfilter component, actively exploited in ransomware campaigns due to its ability to grant root privileges, making it a significant threat to Linux-based systems. Discovered in January 2024 and patched by Linux the following month, this use-after-free vulnerability has existed for over a decade, affecting kernel versions from 3.15 to 6.8-rc1. The flaw arises from improper validation of verdict parameters in the nft_verdict_init() function, leading to a double-free condition that attackers can exploit to execute malicious code and gain root access. This vulnerability is particularly concerning for multi-tenant Linux systems, container hosts, and internet-exposed servers, as it enables post-compromise escalation, defense evasion, and lateral movement. Public proof-of-concept code has made exploitation more accessible, and Sysdig Secure offers detection capabilities to identify potential threats. Given the vulnerability's critical nature and decade-long existence, organizations are urged to prioritize patching to protect their Linux infrastructure from ransomware attacks.