A newly disclosed vulnerability within the Linux kernel’s nftables subsystem poses a significant security risk, enabling local attackers to escalate privileges to root across popular Linux distributions such as Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS.
Understanding CVE-2026-23111
Designated as CVE-2026-23111, this flaw was identified in early 2025 and received a patch on February 5, 2026, via a kernel update. Security expert Oliver Sieber from Exodus Intelligence has released a comprehensive analysis, demonstrating a reliable exploit on idle systems.
The vulnerability is rooted in the nft_map_catchall_activate() function of the nftables framework, which is integral to Linux’s packet filtering mechanisms. A coding error, specifically an inverted conditional check, results in the improper handling of catchall elements during abort operations.
Technical Details of the Exploit
The flaw arises when a verdict map containing a catchall element is deleted, yet the abort process fails to reactivate it. This error leaves the chain’s reference count at zero, despite an active reference, allowing attackers to delete the chain while a dangling pointer persists.
The exploitation process involves manipulating four transaction batches to utilize nftables’ generational cursor mechanism. This series of actions leads to a use-after-free condition, crucial for executing the exploit.
Real-World Impact and Mitigation
The exploit, displaying over 99% stability on idle systems, also performs effectively under stress, achieving around 80% stability. This makes it a practical threat in real-world scenarios, as highlighted by Sieber.
Administrators are urged to apply the kernel patch (commit f41c5d1) or update their systems to a secure version. On Ubuntu systems, disabling unprivileged user namespace creation by setting kernel.unprivileged_userns_clone=0 can offer partial protection where feasible.
In conclusion, while a separate yet related bug CVE-2026-23278 has been addressed, the urgency of updating systems to mitigate CVE-2026-23111 cannot be overstated. As always, staying informed and applying patches promptly is crucial to maintaining system security.
