CVE-2026-23111

HIGH EPSS 14.5%
Published Feb 13, 20264mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Feb 13, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
14.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 18

VendorProductVersionRange
linuxlinux_kernel*≥4.19.316  –  <4.20
linuxlinux_kernel*≥5.4.262  –  <5.5
linuxlinux_kernel*≥5.10.188  –  <5.11
linuxlinux_kernel*≥5.15.121  –  <5.15.200
linuxlinux_kernel*≥6.1.36  –  <6.1.163
linuxlinux_kernel*≥6.3.10  –  <6.4
linuxlinux_kernel*≥6.4.1  –  <6.6.124
linuxlinux_kernel*≥6.7  –  <6.12.70
linuxlinux_kernel*≥6.13  –  <6.18.10
linuxlinux_kernel6.4any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 8

  • blog.exodusintel.com https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-253495.html
  • git.kernel.org https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8
    Patch