CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits
CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits
Publish Date: 2026-06-09 04:11:00
Source Domain: securityaffairs.com
CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits
Pierluigi Paganini
June 09, 2026
A Linux kernel nf_tables bug lets local users gain root via use-after-free caused by a logic error; patch removes a single “!”.
CVE-2026-23111 lives in nf_tables, the Linux kernel’s packet filtering framework. Exodus Intelligence researcher Oliver Sieber found the bug in early 2025 and chained it into a full local privilege escalation. The flaw was addressed on February 5, 2026, by simply removing one character from the source code. That character was a !.
“An inverted condition on the catchall element in the Abort Phase of nf_tables transactions allows an unprivileged user to trigger a use-after-free.” reads the report published by FuzzingLabs. “This UAF can be used to leak the kernel base address, then a heap address, and finally to execute a ROP chain that stack pivot into msg_msg-2k to get root privileges.”
The mechanics aren’t complicated to follow once you know where to look. When nf_tables processes a batch of transactions and something fails mid-way, it runs an abort phase to undo the changes. That abort phase calls nft_map_catchall_activate() to restore catchall elements in verdict maps. The function has the condition backwards: it skips the elements it should restore and tries to restore the ones that are already fine.
“The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element.” continues the report. “For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain-use reference count. Each abort cycle permanently decrements chain-use. Once chain-use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via…
