{"id":268032,"date":"2026-06-09T04:11:00","date_gmt":"2026-06-09T08:11:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/09\/cve-2026-23111-linux-nf_tables-flaw-enables-root-exploits\/"},"modified":"2026-06-09T04:35:09","modified_gmt":"2026-06-09T08:35:09","slug":"cve-2026-23111-linux-nf_tables-flaw-enables-root-exploits","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/09\/cve-2026-23111-linux-nf_tables-flaw-enables-root-exploits\/","title":{"rendered":"CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits"},"content":{"rendered":"<p><a href=\"https:\/\/securityaffairs.com\/193352\/hacking\/cve-2026-23111-linux-nf_tables-flaw-enables-root-exploits.html\">CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits<\/a><\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/193352\/hacking\/cve-2026-23111-linux-nf_tables-flaw-enables-root-exploits.html\">https:\/\/securityaffairs.com\/193352\/hacking\/cve-2026-23111-linux-nf_tables-flaw-enables-root-exploits.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-09 04:11:00<\/a><\/p>\n<p>Source Domain: <a href=\"securityaffairs.com\">securityaffairs.com<\/a><\/p>\n<p><h2>CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits<\/h2>\n<\/p>\n<p>\t\t\t\t\t\t\t<span> Pierluigi Paganini<\/span><br \/>\n\t\t\t\t\t\t\t<span><img decoding=\"async\" src=\"https:\/\/securityaffairs.com\/wp-content\/themes\/security_affairs\/images\/clock-icon.svg\" alt=\"\"\/> June 09, 2026<\/span><\/p>\n<p>\t\t\t\t\t\t<img decoding=\"async\" class=\"img-fluid mb-4\" src=\"https:\/\/i0.wp.com\/securityaffairs.com\/wp-content\/uploads\/2015\/11\/Linux-ransomware-encoder1.jpg?fit=620%2C413&#038;ssl=1\" alt=\"\"\/><\/p>\n<h2 class=\"wp-block-heading\">A Linux kernel nf_tables bug lets local users gain root via use-after-free caused by a logic error; patch removes a single \u201c!\u201d.<\/h2>\n<p class=\"wp-block-paragraph\">CVE-2026-23111 lives in nf_tables, the Linux kernel\u2019s packet filtering framework. Exodus Intelligence researcher Oliver Sieber found the bug in early 2025 and chained it into a full local privilege escalation. The flaw was addressed on February 5, 2026, by simply removing one character from the source code. That character was a !. <\/p>\n<p class=\"wp-block-paragraph\">\u201cAn inverted condition on the catchall element in the Abort Phase of nf_tables transactions allows an unprivileged user to trigger a use-after-free.\u201d reads the report published by FuzzingLabs. \u201cThis UAF can be used to leak the kernel base address, then a heap address, and finally to execute a ROP chain that stack pivot into msg_msg-2k to get root privileges.\u201d <\/p>\n<p class=\"wp-block-paragraph\">The mechanics aren\u2019t complicated to follow once you know where to look. When nf_tables processes a batch of transactions and something fails mid-way, it runs an abort phase to undo the changes. That abort phase calls nft_map_catchall_activate() to restore catchall elements in verdict maps. The function has the condition backwards: it skips the elements it should restore and tries to restore the ones that are already fine. <\/p>\n<p class=\"wp-block-paragraph\">\u201cThe consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element.\u201d continues the report. \u201cFor NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain-use reference count. Each abort cycle permanently decrements chain-use. Once chain-use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via&#8230;<\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/193352\/hacking\/cve-2026-23111-linux-nf_tables-flaw-enables-root-exploits.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits https:\/\/securityaffairs.com\/193352\/hacking\/cve-2026-23111-linux-nf_tables-flaw-enables-root-exploits.html Publish Date: 2026-06-09 04:11:00 Source Domain: securityaffairs.com&#8230;<\/p>\n","protected":false},"author":1,"featured_media":268034,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2015\/11\/Linux-ransomware-encoder1.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,89,71],"class_list":["post-268032","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-flaw","tag-linux"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/268032"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=268032"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/268032\/revisions"}],"predecessor-version":[{"id":268035,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/268032\/revisions\/268035"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/268034"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=268032"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=268032"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=268032"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}