{"id":267639,"date":"2026-06-08T12:47:00","date_gmt":"2026-06-08T16:47:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/08\/new-linux-kernel-vulnerability-lets-attackers-escalate-privileges-to-root\/"},"modified":"2026-06-08T15:05:07","modified_gmt":"2026-06-08T19:05:07","slug":"new-linux-kernel-vulnerability-lets-attackers-escalate-privileges-to-root","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/08\/new-linux-kernel-vulnerability-lets-attackers-escalate-privileges-to-root\/","title":{"rendered":"New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root"},"content":{"rendered":"<p><a href=\"https:\/\/cybersecuritynews.com\/linux-kernel-nftables-vulnerability\/\">New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root<\/a><\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/linux-kernel-nftables-vulnerability\/\">https:\/\/cybersecuritynews.com\/linux-kernel-nftables-vulnerability\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-08 12:47:00<\/a><\/p>\n<p>Source Domain: <a href=\"cybersecuritynews.com\">cybersecuritynews.com<\/a><\/p>\n<p class=\"wp-block-paragraph\">A use-after-free vulnerability in the Linux kernel\u2019s nftables subsystem has been disclosed, enabling unprivileged local attackers to escalate privileges to root on widely deployed distributions including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS.<\/p>\n<p class=\"wp-block-paragraph\">Tracked as CVE-2026-23111, the flaw was discovered in early 2025 and patched upstream on February 5, 2026, via a kernel commit. Security researcher Oliver Sieber of Exodus Intelligence published a detailed technical write-up alongside a working exploit demonstrating 99% reliability on idle systems.<\/p>\n<p class=\"wp-block-paragraph\">The bug originates in the nft_map_catchall_activate() function within the nftables subsystem \u2014 a packet filtering framework built on top of Linux\u2019s Netfilter hooks.<\/p>\n<p class=\"wp-block-paragraph\">Specifically, a single inverted conditional check (a misplaced ! operator) causes the function to incorrectly skip inactive catchall elements during the abort process, instead of reactivating them.<\/p>\n<p class=\"wp-block-paragraph\">When a pipapo-backed verdict map containing a catchall element referencing a chain is deleted and a subsequent transaction in the same batch fails, triggering an abort, the catchall element remains incorrectly inactive.<\/p>\n<p class=\"wp-block-paragraph\">This leaves the referenced chain\u2019s reference counter at zero, even though a valid reference to that chain still exists. An attacker can then delete the chain while a dangling pointer remains in a base chain rule, triggering the use-after-free condition.<\/p>\n<h2 id=\"h-linux-kernel-use-after-free-vulnerability\" class=\"wp-block-heading\"><strong>Linux Kernel use-after-free Vulnerability<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The exploit chains four transaction batches to manipulate nftables\u2019 generational cursor mechanism:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Batch 1:<\/strong> Delete the pipapo set, then force an error to trigger the abort \u2014 causing the chain reference counter to decrement incorrectly<\/li>\n<li><strong>Batch 2:<\/strong> Send a benign transaction to toggle the generation cursor<\/li>\n<li><strong>Batch 3:<\/strong> Delete the pipapo set cleanly, driving the chain\u2019s reference counter to zero<\/li>\n<li><strong>Batch 4:<\/strong> Delete the chain while the base chain retains a live rule referencing it<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">From there, the&#8230;<\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/linux-kernel-nftables-vulnerability\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root https:\/\/cybersecuritynews.com\/linux-kernel-nftables-vulnerability\/ Publish Date: 2026-06-08 12:47:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":267640,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"http:\/\/cybersecuritynews.com\/wp-content\/uploads\/2026\/06\/Linux-Kernel-nftables-Vulnerability.webp","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,91,31,89,71,57,79,27],"class_list":["post-267639","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-debian","tag-exploit","tag-flaw","tag-linux","tag-security","tag-ubuntu","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/267639"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=267639"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/267639\/revisions"}],"predecessor-version":[{"id":267642,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/267639\/revisions\/267642"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/267640"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=267639"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=267639"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=267639"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}