CVE-2022-2586

MEDIUM KEV

Linux Kernel < 5.19.17 - Use-After-Free via NFT Object or Expression Reference

Title source: llm

Exploitation Summary

CVE-2022-2586 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 26, 2024. EIP tracks 3 public exploits from researchers including aels, sniper404ghostxploit.

AI-analyzed exploit summary This is a local privilege escalation (LPE) exploit for CVE-2022-2586, targeting a use-after-free (UAF) vulnerability in the Linux kernel's nft_object. The exploit leverages nftables operations to achieve arbitrary memory manipulation and ultimately gain root privileges.

Description

It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted.

Exploits (3)

nomisec WORKING POC 20 stars

by aels · local

https://github.com/aels/CVE-2022-2586-LPE

View Code ZIP pw:eip

This is a local privilege escalation (LPE) exploit for CVE-2022-2586, targeting a use-after-free (UAF) vulnerability in the Linux kernel's nft_object. The exploit leverages nftables operations to achieve arbitrary memory manipulation and ultimately gain root privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel (specific versions affected by CVE-2022-2586)

No auth needed

Prerequisites: Local access to the vulnerable system · Kernel version affected by CVE-2022-2586 · Appropriate kernel configuration (e.g., nftables enabled)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by sniper404ghostxploit · local

https://github.com/sniper404ghostxploit/CVE-2022-2586

View Code ZIP pw:eip

This is a local privilege escalation (LPE) exploit for CVE-2022-2586, targeting a use-after-free (UAF) vulnerability in the Linux kernel's nft_object. It leverages memory corruption to achieve arbitrary code execution in kernel context, ultimately gaining root privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel (specific versions affected by CVE-2022-2586)

No auth needed

Prerequisites: Local access to the vulnerable system · Kernel version affected by CVE-2022-2586 · Compilation with specific libraries (libmnl, libnftnl)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

local

https://github.com/greek0x0/2022-LPE-UAF

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2022-2586, a use-after-free (UAF) vulnerability in the Linux kernel's nf_tables subsystem. The PoC demonstrates the vulnerability by creating and manipulating nf_tables objects and sets to trigger the UAF condition, potentially leading to local privilege escalation (LPE).

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Linux kernel (nf_tables subsystem)

No auth needed

Prerequisites: Linux kernel with nf_tables support · Local user access

MITRE ATT&CK