How to Combat CVE-2024-26809: Linux Nftables Double-Free Vulnerability

Technical Overview

CVE-2024-26809 is a vulnerability in the Linux kernel function nft_pipapo_destroy. Attackers exploit nftables (a Netfilter project designed to replace the popular {ip, ip6, arp, eb}tables) to take advantage of a logic flaw: under certain conditions, the code calls free(), twice on the same memory block. This triggers a well-known form of memory-corruption, the double-free vulnerability.

The known affected systems for this vulnerability are:

Image Credit: https://nvd.nist.gov/vuln/detail/cve-2024-26809#range-16641077

According to NIST’s National Vulnerability Database, NVD, CVE-2024-26809 is a vulnerability with a base score: 5.5 Medium with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

A Medium rating means the flaw can be exploited, but typically under specific conditions. In this case, any local, low-privilege user, or malicious code already running with that level, can crash or hang the system without assistance from another logged-in user. Confidentiality and integrity remain unaffected, so the primary risk is downtime (DoS).

Origin Analysis

Inside net/netfilter/nft_set_pipapo.c there is the nft_pipapo_destroy() function. This routine is responsible for destroying, i.e., freeing, pipapo sets that belong to the nftables infrastructure.

Credit: https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2024-26809_lts_cos/docs/exploit.md

A set is marked dirty when it has been modified but not yet committed. If a set is dirty, the function frees all set elements that appear in either of two internal structures: match and clone. The issue arises in the edge case where the same set exists in both match and clone simultaneously, causing the memory to be freed twice.

Analogy

Imagine each pipapo set as a house on a quiet street and every set element as a piece of furniture inside that house. You first build House A (create set A) and move in Couch B (add element B). Later, someone squeezes in Chair C, an extra item that changes the layout, so a bright “needs-cleaning” sticker goes on the door (the set becomes dirty). When the city’s junk-removal crew (nft_pipapo_destroy()) arrives, they check two separate work orders, Match and Clone, that both mistakenly list House A for clearing. Dutifully following each ticket, the crew hauls away Couch B once, then, seeing the second ticket, hauls it away again, ripping up the same floorboards on the repeat pass. That second haul is the double-free: the kernel believes the memory is already reclaimed, hands it out to someone else, and immediately overwrites it. Although the problem is local to that single house (local privilege escalation), the resulting hole in the floor lets an attacker tunnel anywhere, plant rootkits, crash services, or otherwise seize control of the entire neighborhood.

Impact

• Local root, any user / container – CVE-2024-26809 is not remote, but once an attacker lands on the box, even as the lowest-privilege account, the double-free in nft_set_pipapo lets them jump straight to kernel mode. Every unprivileged namespace inside a container is enough to trigger it, so a compromised web-app or CI job effectively equals root on the host. (https://nvd.nist.gov/vuln/detail/cve-2024-26809) 
• Defense layers sidestepped – Researchers have shown a “universal” exploit that runs unchanged across multiple kernel builds by leaking nft_last_ops pointers, effectively bypassing KASLR and removing the need for per-kernel ROP gadgets. (https://osec.io/blog/2024-11-25-netfilter-universal-root-1-day)
• Resulting damage – The bug itself doesn’t steal or corrupt data, but once root is gained an attacker can load eBPF backdoors, wipe logs or simply crash the node. Most observed breakages are abrupt panics or hangs, leading to service outages rather than silent breaches
• How it stacks up – Earlier Netfilter flaws like CVE-2024-1086 (double-free in nft_verdict_init) and CVE-2023-35001 (OOB read/write in nft_byteorder) also reached root, but they still required CAP_NET_ADMIN or an unprivileged user-namespace. CVE-2024-26809 drops those prerequisites, lowering the bar for post-compromise escalation and making it the most accessible nftables LPE to date. (https://nvd.nist.gov/vuln/detail/cve-2024-1086) (https://nvd.nist.gov/vuln/detail/cve-2023-35001) 

How AccuKnox Could Have Mitigated CVE-2024-26809

AccuKnox Zero Trust Security CNAPP adds defensive layers that matter for CVE-2024-26809:

• Inline runtime exploit blocking – the BPF-LSM runtime engine connects directly into the kernel and it can be configured to watches the same nft_* syscalls the exploit abuses. A policy is created and if it sees the create-set → mark-dirty → delete sequence it blocks the system calls before they run, and therefore before the double-free fires. No kernel panic, no container escape.

• Auto-generated least-privilege policies – KubeArmor (bundled with the platform) learns “normal” behaviour and then drops CAP_NET_ADMIN, CAP_SYS_ADMIN and blocks /usr/sbin/nft for all pods that don’t need them, removing the exploit of its entry point. You can roll the policy out cluster-wide in one click.
• CVE-aware Admission Controller – the Admission Controller Security module screens every deploy request and simply refuses to place new workloads on nodes whose kernel build-id matches the vulnerable range, stopping accidental drift and lateral movement while you patch.

• Risk-based visibility & alerting – the dashboard highlights hosts that are still on an unfixed kernel, prioritises them by exposure, and can create a ticket if the node stays unpatched past your SLA.
• Threat hunting & forensics – All denied capability calls and blocked nft_* sequences are logged with the workload, showing which workload tried to do something it never should have. Facilitating quick incident triage.

Aside from AccuKnox, the flaw has been fixed in numerous Linux Kernel Versions (Ubuntu). The user’s job is to make sure the system it is using is updated to the latest available versions, and that this version, in fact, has the logical error code corrected.   

Conclusion

CVE-2024-26809 may sit in the “Medium” range on paper, but in practice it gives any local foothold, container, low-privilege user, or stray process, a fast lane to root. The double-free in nft_pipapo_destroy() bypasses KASLR, crashes unpatched hosts, and turns routine mis-configurations into full system compromises.

Key takeaways:

• Scope is local, impact is total – Once triggered, the flaw hands complete kernel control to the attacker and can bring critical workloads to a halt.
• Exploit kits already exist – Researchers have demonstrated reliable, mostly copy-and-paste attack chains that work across kernel versions.
• Patch first, harden second – Make sure every production, CI, and test node is running a fixed kernel. Until that is done, treat any low-privilege compromise as a full breach.
• Stay in the loop – Vulnerabilities in core subsystems like Netfilter land regularly and escalate quickly. Continuous monitoring, timely patching, and clear incident-response playbooks are the only sustainable defenses.

Staying informed isn’t optional. Zero-days happen every day.