New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root

Staff Editor 2026-06-08
New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root

New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root

https://cybersecuritynews.com/linux-kernel-nftables-vulnerability/

Publish Date: 2026-06-08 12:47:00

Source Domain: cybersecuritynews.com

A use-after-free vulnerability in the Linux kernel’s nftables subsystem has been disclosed, enabling unprivileged local attackers to escalate privileges to root on widely deployed distributions including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS.

Tracked as CVE-2026-23111, the flaw was discovered in early 2025 and patched upstream on February 5, 2026, via a kernel commit. Security researcher Oliver Sieber of Exodus Intelligence published a detailed technical write-up alongside a working exploit demonstrating 99% reliability on idle systems.

The bug originates in the nft_map_catchall_activate() function within the nftables subsystem — a packet filtering framework built on top of Linux’s Netfilter hooks.

Specifically, a single inverted conditional check (a misplaced ! operator) causes the function to incorrectly skip inactive catchall elements during the abort process, instead of reactivating them.

When a pipapo-backed verdict map containing a catchall element referencing a chain is deleted and a subsequent transaction in the same batch fails, triggering an abort, the catchall element remains incorrectly inactive.

This leaves the referenced chain’s reference counter at zero, even though a valid reference to that chain still exists. An attacker can then delete the chain while a dangling pointer remains in a base chain rule, triggering the use-after-free condition.

Linux Kernel use-after-free Vulnerability

The exploit chains four transaction batches to manipulate nftables’ generational cursor mechanism:

  • Batch 1: Delete the pipapo set, then force an error to trigger the abort — causing the chain reference counter to decrement incorrectly
  • Batch 2: Send a benign transaction to toggle the generation cursor
  • Batch 3: Delete the pipapo set cleanly, driving the chain’s reference counter to zero
  • Batch 4: Delete the chain while the base chain retains a live rule referencing it

From there, the…

Source

More Stories

AMD Support Being Added To UFS Host Controller PCI Driver In Linux 7.2

AMD Support Being Added To UFS Host Controller PCI Driver In Linux 7.2

Staff Editor 2026-06-08
One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public

One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public

Staff Editor 2026-06-08
Running CachyOS With The BORE Scheduler While Disabling Ananicy-CPP

Running CachyOS With The BORE Scheduler While Disabling Ananicy-CPP

Staff Editor 2026-06-08

Terms and Conditions - Privacy Policy