CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits

A Linux kernel nf_tables bug lets local users gain root via use-after-free caused by a logic error; patch removes a single “!”.

CVE-2026-23111 lives in nf_tables, the Linux kernel’s packet filtering framework. Exodus Intelligence researcher Oliver Sieber found the bug in early 2025 and chained it into a full local privilege escalation. The flaw was addressed on February 5, 2026, by simply removing one character from the source code. That character was a !.

“An inverted condition on the catchall element in the Abort Phase of nf_tables transactions allows an unprivileged user to trigger a use-after-free.” reads the report published by FuzzingLabs. “This UAF can be used to leak the kernel base address, then a heap address, and finally to execute a ROP chain that stack pivot into msg_msg-2k to get root privileges.”

The mechanics aren’t complicated to follow once you know where to look. When nf_tables processes a batch of transactions and something fails mid-way, it runs an abort phase to undo the changes. That abort phase calls nft_map_catchall_activate() to restore catchall elements in verdict maps. The function has the condition backwards: it skips the elements it should restore and tries to restore the ones that are already fine.

“The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element.” continues the report. “For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.”

Each aborted transaction drains the reference count by one. When it hits zero, the kernel frees the chain. Objects that still hold pointers to it don’t know that.

Sieber’s exploit triggers this sequence across four batches: delete the pipapo set and force an abort, toggle the generation cursor with a clean batch, delete the set for real, then delete the now-zero-refcount chain.

“Although the exploit triggers the use-after-free vulnerability multiple times to leak the kernel base address, leak heap addresses, and hijack the control flow, the stability tests resulted in a stability of >99% on an idle system.” reads the report published by Exodus, which discovered the flaw.

Even under heavy load tests (like Apache benchmark), performance only dropped to about 80%, which is still considered quite good and usable.

The exploit was demonstrated on Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. FuzzingLabs took a different angle for their independent reproduction. They built their exploit targeting RHEL 10 ahead of Pwn2Own Berlin 2026, using a different ROP approach: instead of hijacking control flow through blob_gen_0, they triggered nft_chain_validate on the freed chain, which walks expressions and calls expr->ops->validate, a function pointer they control. To get root without returning cleanly to userland, they overwrote modprobe_path, disabled SELinux enforcement by zeroing the enforcing field in selinux_state, and put the kernel to sleep with msleep to trigger the payload from a separate process.

The attack requires nf_tables and unprivileged user namespaces, both enabled by default on most desktop and many server distributions. There’s no remote vector. This is a post-foothold bug: you need a local shell, a container escape context, or a compromised service account. Ubuntu has released kernel fixes for 22.04, 24.04, and 25.10. Debian fixed Bookworm and Trixie, with a 6.1 backport for Bullseye LTS. Red Hat, SUSE, and Amazon Linux track it too.

The fix patch was published February 5. FuzzingLabs published a working root exploit on April 16. Exodus published its full technical walkthrough on June 8. That’s a four-month window between patch and detailed exploitation guide, which sounds comfortable until you remember most infrastructure doesn’t reboot on a four-month cadence.

“A single character was removed: an exclamation mark. That tiny negation was enough to invert the activation logic in the abort path, which eventually enables a use-after-free.” concludes FuzzingLabs.

The researchers recommend that users update their kernel and reboot. If they can’t do that yet, the company urges restricting unprivileged user namespaces to block the exploit path until they can.

CVE-2026-23111 is part of a recent wave of Linux local privilege escalation vulnerabilities. Recently, multiple flaws have been disclosed, including Copy Fail, Dirty Frag and its Fragnesia variant, DirtyDecrypt, and an older ptrace bug.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)