CVE-2026-23111

Published Feb 13, 2026

Last updated 14 days ago

CVSS high 7.8
AWS
Ubuntu

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-23111 is a local privilege escalation vulnerability found in the Linux kernel's `nf_tables` subsystem, which is responsible for packet filtering. The flaw stems from a logic error within the `nft_map_catchall_activate()` function, specifically an inverted `genmask` check during the abort path of a failed transaction. This incorrect check prevents the proper reactivation of catchall map elements and, for `NFT_GOTO` verdict elements, can lead to a permanently decremented reference count for `nf_tables` chain objects. This issue can result in a use-after-free condition, where a chain can be prematurely freed while other `nf_tables` state still holds a stale reference to it. An unprivileged local user can exploit this vulnerability on systems where user namespaces and `nftables` are enabled, potentially gaining root access. The vulnerability was patched by removing a single character (an exclamation mark) that caused the inverted logic.

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.
Source
416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD status
Modified
Products
linux_kernel

Risk scores

CVSS 3.1

Type
Primary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

nvd@nist.gov
CWE-416
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-416
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
CWE-672

Social media

Hype score
Not currently trending
  1. 14:02 UTC: CVE-2026-23111 disclosed. Critical Linux kernel use-after-free in nftables enables unprivileged local privilege escalation to root. CVE-2026-23111

    @lyrie_ai

    5 Jul 2026

    64 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. Off By !: Exploiting a Use-after-Free in the Linux Kernel Oliver Sieber published write-up on CVE-2026-23111 in nftables, found in early 2025, patched upstream by other researchers in Feb 2026. Article describes exploiting this UAF on Debian and Ubuntu. https://t.co/z52Nn6qs3U

    @linkersec

    25 Jun 2026

    2860 Impressions

    14 Retweets

    52 Likes

    43 Bookmarks

    0 Replies

    0 Quotes

  3. 🔒 CYBERSECURITY, PRIVACY & OPEN SOURCE ROUNDUP — June 11, 2026 1️⃣ LINUX KERNEL PRIVILEGE ESCALATION BUG GETS PUBLIC EXPLOIT — CVE-2026-23111 A Linux kernel vulnerability rated as a favorite among attackers has gone public. CVE-2026-23111 is neither remote nor fl

    @TraffAlex

    11 Jun 2026

    308 Impressions

    2 Retweets

    4 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  4. Top 5 Trending CVEs: 1 - CVE-2026-23111 2 - CVE-2026-23479 3 - CVE-2026-42271 4 - CVE-2025-7771 5 - CVE-2026-6973 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    10 Jun 2026

    97 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Linux Kernel LPE CVE-2026-23111 1/4 CVE-2026-23111 Linux kernel nf_tables. Root from unprivileged user. Container breakout included. Working exploit has been public for 4 months. If your kernel hasn’t been updated since February 5, 2026, you’re exposed right now.

    @ElusivePrivacy

    9 Jun 2026

    58 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    1 Quote

  6. CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits: A Linux kernel nf_tables bug lets local users gain root via use-after-free caused by a logic error; patch removes a single “!”. CVE-2026-23111 lives in nf_tables, the Linux kernel’s packet… https://t.co/TwtPntRJu

    @shah_sheikh

    9 Jun 2026

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Top 5 Trending CVEs: 1 - CVE-2025-8088 2 - CVE-2026-4480 3 - CVE-2026-42271 4 - CVE-2026-23111 5 - CVE-2026-3300 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    9 Jun 2026

    100 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Linux Security AlertA critical Linux kernel nftables vulnerability (CVE-2026-23111) could allow local attackers to escalate privileges and gain root access on affected systems.Source: Linux Kernel Security Advisories & CVE-2026-23111 Connect with us:https://t.co/tWT2Q2Th2Y #C

    @CWMCommunity

    9 Jun 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations