CVE-2026-23111
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Linux Kernel nftables Allows Local Privilege Escalation

Publication date: 2026-02-13

Last updated on: 2026-04-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-13
Last Modified
2026-04-03
Generated
2026-05-07
AI Q&A
2026-02-13
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23111
EUVD
EUVD-2026-6170
Affected Vendors & Products
Showing 18 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.4
linux linux_kernel From 5.4.262 (inc) to 5.5 (exc)
linux linux_kernel From 5.10.188 (inc) to 5.11 (exc)
linux linux_kernel From 4.19.316 (inc) to 4.20 (exc)
linux linux_kernel From 6.3.10 (inc) to 6.4 (exc)
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.7 (inc) to 6.12.70 (exc)
linux linux_kernel 6.19
linux linux_kernel From 5.15.121 (inc) to 5.15.200 (exc)
linux linux_kernel From 6.1.36 (inc) to 6.1.163 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.10 (exc)
linux linux_kernel From 6.4.1 (inc) to 6.6.124 (exc)
linux linux_kernel 6.19
linux linux_kernel 6.19
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfilter nftables subsystem, specifically in the function nft_map_catchall_activate(). The function has an inverted check for element activity compared to its intended logic and its non-catchall counterpart nft_mapelem_activate().

The function is supposed to skip elements that are already active and process those that are inactive during an abort of a DELSET operation. However, due to the inverted check, it skips inactive elements and processes active ones instead.

As a result, when a DELSET operation is aborted, the catchall element is not properly re-activated, leading to a permanent decrement of a chain's use reference count. Eventually, this causes the chain to be freed while still being referenced by catchall verdict elements, resulting in a use-after-free condition.

This flaw can be exploited locally by an unprivileged user through user namespaces combined with nftables on systems that have CONFIG_USER_NS and CONFIG_NF_TABLES enabled.


How can this vulnerability impact me? :

The vulnerability can lead to a use-after-free condition in the Linux kernel's nftables subsystem, which can be exploited by a local unprivileged user.

Exploitation allows for local privilege escalation, meaning an attacker with limited access could gain higher privileges on the affected system.

This could compromise system security by allowing unauthorized access or control, potentially leading to further attacks or system instability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by correcting the inverted element activity check in nft_map_catchall_activate() in the Linux kernel netfilter nf_tables subsystem.

Immediate mitigation steps include updating the Linux kernel to a version where this fix is applied, which removes the negation in the check so that active elements are skipped and inactive ones are processed correctly.

Since this vulnerability allows local privilege escalation via user namespaces and nftables, disabling CONFIG_USER_NS or CONFIG_NF_TABLES kernel options temporarily may reduce risk if updating is not immediately possible.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart