cbcvebase.
CVE-2022-2586
published 2024-01-08

CVE-2022-2586: It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted.

PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-07-17
Exploited in the wild
EPSS
12.75%
95.8th percentile
It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted.

Affected

41 ranges· showing 25
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianlinux< linux 6.0.2-1 (bookworm)linux 6.0.2-1 (bookworm)
debianlinux< linux 5.18.16-1 (bookworm)linux 5.18.16-1 (bookworm)
linuxlinux
linuxlinux>= 958bee14d0718ca7a5002c0f48a099d1d345812a < 77d3b5038b7462318f5183e2ad704b01d57215a277d3b5038b7462318f5183e2ad704b01d57215a2
linuxlinux>= 958bee14d0718ca7a5002c0f48a099d1d345812a < fab2f61cc3b0e441b1749f017cfee75f9bbaded7fab2f61cc3b0e441b1749f017cfee75f9bbaded7
linuxlinux>= 958bee14d0718ca7a5002c0f48a099d1d345812a < 1a4b18b1ff11ba26f9a852019d674fde9d1d1cff1a4b18b1ff11ba26f9a852019d674fde9d1d1cff
linuxlinux>= 958bee14d0718ca7a5002c0f48a099d1d345812a < faafd9286f1355c76fe9ac3021c280297213330efaafd9286f1355c76fe9ac3021c280297213330e
linuxlinux>= 958bee14d0718ca7a5002c0f48a099d1d345812a < f4fa03410f7c5f5bd8f90e9c11e9a8c4b526ff6ff4fa03410f7c5f5bd8f90e9c11e9a8c4b526ff6f
linuxlinux>= 958bee14d0718ca7a5002c0f48a099d1d345812a < 0d07039397527361850c554c192e749cfc879ea90d07039397527361850c554c192e749cfc879ea9
linuxlinux>= 958bee14d0718ca7a5002c0f48a099d1d345812a < 470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2
linuxlinux_kernel<= 5.19.17
linuxlinux_kernel
linuxlinux_kernel>= 0 < 5.10.140-15.10.140-1
linuxlinux_kernel>= 0 < 5.10.136-15.10.136-1
linuxlinux_kernel>= 0 < 6.0.2-16.0.2-1
linuxlinux_kernel>= 0 < 5.18.16-15.18.16-1
linuxlinux_kernel>= 0 < 6.0.2-16.0.2-1
linuxlinux_kernel>= 0 < 5.18.16-15.18.16-1
linuxlinux_kernel>= 0 < 6.0.2-16.0.2-1
linuxlinux_kernel>= 0 < 5.18.16-15.18.16-1

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is in the netfilter nf_tables subsystem: an nft object or expression references an nft set in a *different* nft table via SET_ID, enabling use-after-free after table deletion. Detection should focus on cross-table nft SET_ID references in netlink/nftables batch operations.
  • The vulnerability is also tracked as ZDI-CAN-17470; threat intel or exploit samples may be indexed under that identifier.
  • Exploitation requires a local, privileged attacker; monitor for local privilege escalation attempts via nftables API calls (net/netfilter/nf_tables_api.c), particularly batch operations that add/delete tables while holding cross-table set references.
  • Scope is local; alert on unexpected nftables rule/table manipulation (e.g., nft commands creating sets in one table and referencing them from another) by non-root or container-escaped processes.
  • ·Red Hat Enterprise Linux 6 and 7 (including kernel-rt) are listed as Not Affected; detection/patching efforts should focus on RHEL 8+ and other distributions.
  • ·Debian bookworm/sid/trixie/forky are fixed in kernel 5.18.16-1; bullseye is fixed in 5.10.136-1. Systems running older kernels remain vulnerable.
  • ·Ubuntu fix is delivered via USN-5565-1 and USN-5567-1; an ABI change means third-party kernel modules must be recompiled after patching.
  • ·Red Hat states no mitigation meeting their criteria is currently available for affected versions.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck5.3MEDIUM
cisa7.8HIGH
vendor_msrc7.8HIGH
vendor_ubuntu7.8HIGH
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.