What is Linux nf_tables?
nf_tables is the kernel subsystem that implements modern Linux firewall and packet filtering rules, replacing the older iptables. It runs in the kernel and manages network filtering objects including chains, tables, rules, and named objects. Because nf_tables handles complex rule processing in privileged kernel space, bugs in its object lifecycle management can expose use-after-free primitives exploitable for local privilege escalation.
Overview
CVE-2022-2586 is a use-after-free vulnerability (CWE-416) in the nf_tables component of the Linux kernel. A local low-privilege user can trigger the vulnerability by manipulating nft_object lifecycle operations — specifically exploiting the case where an object bound to a chain can be freed while a reference remains active. Successful exploitation can lead to privilege escalation to root. CISA added this to KEV in June 2024, two years after the original disclosure, reflecting confirmed exploitation in targeted attack chains.
Affected Versions
| Component | Vulnerable | Fixed |
|---|---|---|
| Linux kernel | Various versions before fix | Patched in kernel 5.19 / stable backports |
| Android (kernel-based) | Selected versions | Vendor security updates |
| Ubuntu, RHEL, Debian, SUSE | Varies by distro | Distro-specific security updates |
Technical Details
The vulnerability involves nft_object handling in net/netfilter/nf_tables_api.c. When an nf_tables object is bound to a chain, the reference counting does not properly account for the binding, creating a use-after-free condition:
- Root cause: An
nft_objectthat has been bound to a chain does not receive a reference count increment; subsequent operations can free the object while the chain still references it - Exploitation: A local attacker creates and manipulates nf_tables objects to trigger the UAF, using the freed memory as a type confusion or heap spray primitive for kernel code execution
- Attack vector: Local — requires the ability to call
nft_*syscalls (available to normal users on most Linux distros unless restricted by seccomp/AppArmor) - Impact: Local privilege escalation to root
Discovery
Reported by Moshe Kol and Shlomi Oberman, disclosed to the oss-security mailing list in August 2022.
Exploitation Context
The two-year gap between oss-security disclosure (2022) and CISA KEV addition (2024) suggests exploitation was confirmed in targeted Android or Linux LPE chains used by sophisticated actors. nf_tables vulnerabilities have been a consistent source of Android privilege escalation exploits, with the same subsystem yielding multiple KEV entries (CVE-2023-32233, CVE-2023-35829, etc.).
Remediation
- Apply the latest Linux kernel security updates from your distribution's security repositories
- For Android devices: apply manufacturer security patches for your device model
- On desktop/server Linux, restrict nf_tables access with AppArmor or seccomp profiles where possible
- Consider enabling
kernel.unprivileged_userns_clone=0on systems that do not require unprivileged user namespaces, which can limit the exploitability of nf_tables bugs
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-2586 |
| Vendor / Product | Linux — Kernel |
| NVD Published | 2024-01-08 |
| NVD Last Modified | 2025-10-28 |
| CVSS 3.1 Score | 5.3 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H |
| Severity | MEDIUM |
| CWE | CWE-416 find similar ↗ |
| CISA KEV Added | 2024-06-26 |
| CISA KEV Deadline | 2024-07-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2022-08-05 | Vulnerability disclosed on oss-security mailing list |
| 2024-01-08 | CVE formally published |
| 2024-06-26 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2024-07-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| oss-security — Linux kernel: nf_tables UAF disclosure | Security Research |
| NVD — CVE-2022-2586 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |