A newly disclosed Linux kernel vulnerability tracked as CVE-2026-23111 allows local attackers to escalate privileges to root by exploiting a use-after-free flaw in the nftables subsystem.
The vulnerability, patched upstream on February 5, 2026, affects the netfilter framework, specifically nftables, which is widely used for packet filtering, NAT, and firewall rule management across modern Linux distributions.
Successful exploitation has been demonstrated on Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS, highlighting the broad impact across enterprise and server environments, as reported by Exodus Intelligence.
Linux Kernel Flaw
At its core, the flaw lies in the handling of nftables verdict maps, particularly in the use of “catchall” elements and generation masks during transactional rule updates.
The Linux kernel employs a generational mechanism to ensure atomic updates to firewall rule sets, marking objects as active or inactive across the “current” and “next” generations.
However, a logic error in the nft_map_catchall_activate() function causes it to skip inactive elements during rollback (abort) operations, leaving certain objects in an inconsistent state.
This flaw results in a reference counting issue. When a verdict map containing a catch-all element referencing a chain is deleted, the chain’s reference counter is decremented.
If an error occurs within the same transaction batch, the kernel attempts to revert the deletion, but because of the bug, the catchall element is not properly reactivated, and the reference counter is not restored. As a result, the chain may appear unused (with a reference count of 0) even though it is still referenced elsewhere.
This condition enables attackers to prematurely delete the chain, creating a classic use-after-free scenario in which freed memory is still referenced. By carefully orchestrating nftables transactions across multiple batches, an attacker can reliably trigger this state and gain control over freed kernel objects.
The exploitation process involves multiple stages. First, the attacker triggers the vulnerability by crafting nftables operations within a network namespace that unprivileged users can create under certain conditions.
The attacker then leverages the dangling pointer to leak sensitive kernel memory, including the kernel base address, effectively bypassing Kernel Address Space Layout Randomization (KASLR).
Next, heap memory addresses are disclosed by reclaiming freed memory regions with controlled data structures. These leaks allow precise manipulation of kernel heap layout, which is critical for reliable exploitation.
Finally, attackers hijack control flow by overwriting function pointers within kernel structures, enabling execution of a Return-Oriented Programming (ROP) chain.
For example, attackers can overwrite function pointers in reclaimed memory so that when the kernel processes a packet through nftables, it executes attacker-controlled code paths.
The exploit ultimately invokes kernel functions such as commit_creds() with init_cred to grant root privileges, effectively breaking out of user restrictions and, in some cases, container isolation boundaries.
Notably, researchers reported high reliability for the exploit, achieving over 99% success on idle systems and approximately 80% under heavy load conditions. This level of stability makes the vulnerability particularly dangerous in real-world scenarios.
The issue underscores the risks of complex kernel subsystems like nftables, where subtle logic errors, such as misplaced conditional checks, can lead to severe security consequences. In this case, a single incorrect negation operator in a conditional statement was sufficient to introduce a privilege escalation pathway.
Linux users and administrators are strongly advised to update to patched kernel versions that include the fix for CVE-2026-23111. Systems that allow unprivileged user namespaces or provide access to nftables functionality are especially at risk and should be prioritized for remediation.
Security teams should also monitor for suspicious nftables activity, unusual netlink interactions, or unauthorized namespace creation, as these may indicate attempts to exploit this vulnerability in active environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
