← All newsletters

A Linux kernel privilege escalation worth patching tonight.

What the advisory actually says, who is affected, what to patch first, and a 10-line mitigation script.

This issue covers a kernel CVE published last Friday. We are writing about it because the exploit code is already public and the patch is not yet backported to some LTS distributions you probably run.

What it is

A flaw in the kernel's nf_tables subsystem allows an unprivileged user to escalate to root on a vulnerable host. The bug was reported by a major distribution's security team in May and patched in mainline the same week.

Who is affected

Any Linux system running kernel 6.4 or newer with nf_tables loaded (Ubuntu 23.10+, Debian 12 with the nftables package, Fedora 39+, RHEL 9 with the nftables kmod). Cloud VMs running container hosts are particularly exposed; bare-metal hosts less so but still vulnerable.

What to patch first

If you run unattended-upgrades on Debian/Ubuntu the patch has already arrived. If you manage kernels yourself: apt install --install-recommends linux-image-<latest> on Debian, dnf update kernel on Fedora. Reboot. There is no module-level mitigation; you need a new kernel.

If you cannot reboot yet

# Roll back to the previous kernel
sudo apt install linux-image-6.5.0-44-generic
sudo reboot

# Blacklist the nft module until you can patch
echo "blacklist nf_tables" | sudo tee /etc/modprobe.d/disable-nftables.conf
sudo update-initramfs -u

The exploit

Public PoC targets cloud metadata APIs first, which is a useful tell when reading your logs: any process calling 169.254.169.254 at unexpected times is now suspect. Watch your iptables.

What we are not telling you

There is a separate, less-public set of kernel CVEs in the same release cycle that haven't fully landed. Expect another emergency in roughly two weeks. Watch the Linux Foundation's security notices for coordinated disclosure timing.

Subscribe to Open Source Security for the biweekly edition.