Linux Kernel Flaw Allows Local Attackers to Gain Root Privileges

Staff Editor 2026-06-09
Linux Kernel Flaw Allows Local Attackers to Gain Root Privileges

Linux Kernel Flaw Allows Local Attackers to Gain Root Privileges

https://gbhackers.com/linux-kernel-flaw-allows-local-attackers-to-gain-privileges/

Publish Date: 2026-06-09 04:17:00

Source Domain: gbhackers.com

A newly disclosed Linux kernel vulnerability tracked as CVE-2026-23111 allows local attackers to escalate privileges to root by exploiting a use-after-free flaw in the nftables subsystem.

The vulnerability, patched upstream on February 5, 2026, affects the netfilter framework, specifically nftables, which is widely used for packet filtering, NAT, and firewall rule management across modern Linux distributions.

Successful exploitation has been demonstrated on Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS, highlighting the broad impact across enterprise and server environments, as reported by Exodus Intelligence.

Linux Kernel Flaw

At its core, the flaw lies in the handling of nftables verdict maps, particularly in the use of “catchall” elements and generation masks during transactional rule updates.

The Linux kernel employs a generational mechanism to ensure atomic updates to firewall rule sets, marking objects as active or inactive across the “current” and “next” generations.

However, a logic error in the nft_map_catchall_activate() function causes it to skip inactive elements during rollback (abort) operations, leaving certain objects in an inconsistent state.

This flaw results in a reference counting issue. When a verdict map containing a catch-all element referencing a chain is deleted, the chain’s reference counter is decremented.

If an error occurs within the same transaction batch, the kernel attempts to revert the deletion, but because of the bug, the catchall element is not properly reactivated, and the reference counter is not restored. As a result, the chain may appear unused (with a reference count of 0) even though it is still referenced elsewhere.

This condition enables attackers to prematurely delete the chain, creating a classic use-after-free scenario in which freed memory is still referenced. By carefully orchestrating nftables transactions across multiple batches, an attacker…

Source

More Stories

How AI and Linux devs are keeping old AMD Radeon cards alive

How AI and Linux devs are keeping old AMD Radeon cards alive

Staff Editor 2026-06-09
Proton releases Proton Drive CLI for Windows, Mac, and Linux

Proton releases Proton Drive CLI for Windows, Mac, and Linux

Staff Editor 2026-06-09
Vibe Coding Is Keeping Old AMD Graphics Cards Alive on Linux

Vibe Coding Is Keeping Old AMD Graphics Cards Alive on Linux

Staff Editor 2026-06-09

Terms and Conditions - Privacy Policy