CVE-2024-0193 in Linux
Summary
by MITRE • 01/02/2024
A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user with CAP_NET_ADMIN capability to escalate their privileges on the system.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/09/2025
The vulnerability identified as CVE-2024-0193 represents a critical use-after-free flaw within the netfilter subsystem of the Linux kernel, specifically affecting the pipapo set implementation. This issue arises from improper memory management during the garbage collection process of catchall elements within network filter chains. The flaw demonstrates a classic double-free condition that can be exploited by malicious actors to gain elevated privileges on affected systems. The vulnerability is particularly concerning because it requires only CAP_NET_ADMIN capability, which is often available to unprivileged users in containerized environments or when running network management tools.
The technical implementation of this flaw occurs within the netfilter subsystem where pipapo sets are used for efficient network packet filtering operations. When a pipapo set is removed from memory, the catchall element undergoes garbage collection, but the system fails to properly track the deactivation state of this element. This oversight allows the system to attempt to deactivate the same memory location twice, creating a use-after-free condition that can be exploited to manipulate memory contents. The vulnerability specifically targets NFT_CHAIN and NFT_OBJECT structures, which are fundamental components of the Netfilter framework that handle network filtering rules and objects respectively.
The operational impact of CVE-2024-0193 extends beyond simple privilege escalation as it provides attackers with a pathway to achieve local code execution within the kernel space. This vulnerability affects systems running Linux kernel versions where the netfilter subsystem has not been patched, potentially compromising the integrity of network filtering operations and exposing systems to further attacks. The use of CAP_NET_ADMIN capability means that even users without direct root access can leverage this vulnerability, making it particularly dangerous in multi-tenant environments or containerized deployments where such capabilities are commonly granted. The attack vector requires local access and specific privileges, but the potential for privilege escalation makes this a high-severity issue that should be addressed immediately.
Mitigation strategies for CVE-2024-0193 primarily focus on applying the latest kernel patches from the Linux kernel maintainers, which address the double-free condition in the pipapo set garbage collection mechanism. System administrators should prioritize updating their kernel versions to include fixes that properly handle the deactivation of catchall elements during pipapo set removal. Additionally, implementing proper privilege separation and limiting CAP_NET_ADMIN capabilities where possible can reduce the attack surface. The vulnerability aligns with CWE-415 which addresses double free conditions in memory management, and represents a specific implementation of the broader category of use-after-free vulnerabilities that are frequently exploited in kernel-level attacks. Organizations should also consider implementing monitoring solutions that can detect anomalous memory access patterns or unexpected kernel behavior that might indicate exploitation attempts.