A critical Linux kernel vulnerability, tracked as CVE-2026-23111, has been publicly disclosed, allowing local attackers to escalate privileges to root by exploiting a use-after-free flaw in the nftables subsystem.
The flaw affects the netfilter framework the backbone of Linux packet filtering, NAT, and firewall rule management and has been successfully demonstrated across multiple widely deployed enterprise distributions.
The vulnerability was patched upstream on February 5, 2026, but Exodus Intelligence’s public disclosure has raised urgent concerns given the broad attack surface.
Linux Kernel nftables Vulnerability
Confirmed affected systems include Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS, posing a significant threat to enterprise servers and cloud infrastructure.
At its core, the flaw originates from a logic error in the nft_map_catchall_activate() function, which handles “catchall” elements in nftables verdict maps during transactional rule updates.
The Linux kernel uses a generational mechanism to enforce atomic updates to firewall rule sets, marking objects as active or inactive across “current” and “next” generations.
When a verdict map containing a catch-all element referencing a chain is deleted, the chain’s reference counter is decremented. If an error occurs within the same transaction batch, the kernel attempts to revert the deletion, but due to the bug, the catchall element is never properly reactivated, and the reference counter is not restored.
This leaves the chain’s reference count at zero even though it is still referenced elsewhere in kernel memory. An attacker can then trigger the premature deletion of that chain, creating a classic use-after-free condition in which freed memory remains accessible through a dangling pointer.
Remarkably, the entire vulnerability traces back to a single incorrect negation operator in a conditional statement, a subtle logic error with severe security consequences.
Researchers demonstrated a multi-stage exploitation chain requiring no elevated permissions under certain configurations:
- Stage 1 – Trigger: The attacker crafts nftables operations inside a network namespace, which unprivileged users can create under default kernel configurations on many distributions.
- Stage 2 – KASLR Bypass: The dangling pointer is used to leak sensitive kernel memory, including the kernel base address, defeating Kernel Address Space Layout Randomization (KASLR).
- Stage 3 – Heap Disclosure: Freed memory regions are reclaimed via controlled data structures, thereby disclosing heap addresses and enabling precise manipulation of the kernel heap layout.
- Stage 4 – Control Flow Hijack: Attackers overwrite function pointers in reclaimed kernel structures, triggering a Return-Oriented Programming (ROP) chain when the kernel processes packets through nftables.
- Stage 5 – Root Escalation: The exploit invokes
commit_creds()withinit_cred, granting full root privileges and, in some cases, breaking container isolation boundaries.
Exodus Intelligence reported an exploit success rate exceeding 99% on idle systems and approximately 80% under heavy load, making this vulnerability highly reliable and dangerous in real-world production environments.
Affected Scope and Mitigation
Linux administrators should immediately update to patched kernel versions addressing CVE-2026-23111. Systems that permit unprivileged user namespaces or expose nftables functionality to non-root users carry the highest risk and must be prioritized.
Security teams are advised to:
- Apply available kernel patches without delay
- Restrict unprivileged user namespace creation via
sysctl kernel.unprivileged_userns_clone=0where operationally feasible - Monitor for anomalous nftables activity, unusual netlink socket interactions, or unauthorized namespace creation as potential exploitation indicators
No Comment! Be the first one.