Key Takeaways
- A use‑after‑free flaw in the Linux kernel’s nftables subsystem (CVE‑2026-23111) lets unprivileged local users gain root access on Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS.
- The bug stems from a misplaced “! ” operator in
nft_map_catchall_activate(), causing inactive catch‑all elements to stay de‑activated during transaction aborts. - An exploit chains four transaction batches to drive a chain’s reference counter to zero while a dangling pointer remains, then hijacks control flow via a crafted ROP chain that calls
commit_creds(&init_cred). - The attacker defeats KASLR and leaks heap pointers by reclaiming freed
kmalloc‑cg‑32andkmalloc‑cg‑192slabs withseq_operationsandnft_ruleobjects. - On Ubuntu 24.04, AppArmor‑based namespace restrictions can be bypassed with
aa-exec -p trinity -- unshare -Urmin /bin/shbefore running the exploit. - The vulnerability was patched upstream on 5 February 2026 (commit f41c5d1); administrators should apply the patch or upgrade to a distribution‑provided fixed kernel.
- A related flaw (CVE‑2026-23278) originated from the same erroneous break statement and was fixed via a separate commit.
- Mitigation: set
kernel.unprivileged_userns_clone=0where policy allows, though applying the kernel fix is the definitive remedy.
Overview
In early 2025 security researcher Oliver Sieber of Exodus Intelligence disclosed a high‑severity use‑after‑free vulnerability in the Linux kernel’s nftables packet‑filtering subsystem. Tracked as CVE‑2026-23111, the flaw affects recent long‑term support releases of Debian and Ubuntu, enabling an unprivileged local attacker to escalate privileges to root with >99 % reliability on idle systems and ~80 % under moderate heap pressure. The researcher published a detailed technical write‑up and a working exploit that demonstrates the full attack chain, including KASLR defeat, heap spraying, and a return‑oriented programming (ROP) payload that grants root credentials and escapes namespace isolation.
Vulnerability Root Cause
The bug resides in the nft_map_catchall_activate() function, which is invoked when nftables processes a transaction that aborts. A single inverted conditional check—specifically a misplaced “!” operator—causes the function to skip the reactivation of inactive catch‑all elements instead of restoring them. When a pipapo‑backed verdict map that contains a catch‑all element referencing a chain is deleted, and a subsequent transaction in the same batch fails (triggering an abort), the catch‑all element remains incorrectly inactive. Consequently, the chain’s reference counter is decremented even though a valid reference to that chain still exists through a base‑chain rule. This mismatch sets the stage for a use‑after‑free condition when the chain is later deleted while the dangling pointer persists.
Exploit Mechanics – Transaction Batches
Sieber’s exploit leverages the nftables generational cursor by arranging four distinct transaction batches:
- Batch 1 – Induced Abort: The attacker deletes the pipapo set and forces an error (e.g., by adding an invalid rule) to trigger the abort path. Because of the faulty
!check, the catch‑all element stays inactive, causing the chain’s reference counter to be incorrectly decremented. - Batch 2 – Cursor Toggle: A benign transaction is issued solely to flip the generation cursor, preparing the internal state for the next steps.
- Batch 3 – Clean Deletion: The pipapo set is deleted again, this time without error, driving the chain’s reference counter to zero while the base‑chain rule still holds a dangling pointer to the now‑freed chain object.
- Batch 4 – Chain Deletion: Finally, the chain itself is deleted. Because the reference counter already reads zero, the kernel frees the chain’s memory, but the dangling pointer in the base‑chain rule remains, creating a classic use‑after‑free scenario.
KASLR Defeat and Heap Spraying
To turn the dangling pointer into controllable memory, the exploit first defeats Kernel Address Space Layout Randomization (KASLR). It sprays the freed kmalloc‑cg‑32 slab with a seq_operations structure obtained by opening /proc/self/stat. Subsequent NFT_MSG_GETRULE requests leak kernel function pointers embedded in these objects, revealing the kernel’s base address. Next, the attacker reclaims freed kmalloc‑cg‑192 slabs with carefully crafted nft_rule structures whose linked‑list fields are likewise leaked via the same netlink query, providing precise heap addresses for later overwrites.
Control Flow Hijack and Privilege Escalation
With kernel and heap locations known, the attacker overwrites the blob_gen_0 field of the freed chain object—a pointer that nftables later dereferences during rule evaluation. The overwrite points to a fabricated nft_expr_ops structure whose eval function field contains the address of a ROP gadget (push rbx; pop rsp). By pivoting the stack to a user‑controlled buffer, the ROP chain executes commit_creds(&init_cred) to replace the current task’s credentials with those of the init process, thereby attaining root privileges. The final stage invokes switch_task_namespaces() to break out of any container or namespace confinement, yielding a fully privileged shell on the host system.
Distribution Impact and Mitigation
The vulnerability is confirmed exploitable on the following distributions: Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. On Ubuntu 24.04, default AppArmor profiles restrict unprivileged user namespace creation; however, the researcher showed that this restriction can be bypassed by invoking aa-exec -p trinity -- unshare -Urmin /bin/sh prior to executing the exploit, effectively nullifying the mitigation. A more robust, albeit partial, mitigation is to set the sysctl kernel.unprivileged_userns_clone=0, which blocks unprivileged namespace creation where policy permits. Nonetheless, the only definitive remedy is to apply the upstream kernel patch.
Related Flaw and Patching Guidance
The erroneous break statement that introduced CVE‑2026-23111 also gave rise to a second vulnerability, tracked as CVE‑2026-23278. This related bug was addressed in a separate kernel commit. Administrators should ensure that both patches are applied. The primary fix for CVE‑2026-23111 is commit f41c5d1, which corrects the inverted conditional in nft_map_catchall_activate(). Most distributions have already backported this fix to their respective kernel trees; users should upgrade to the latest kernel version provided by their vendor (e.g., Ubuntu’s linux-image-*-generic package or Debian’s linux-image-amd64). After updating, a system reboot is required to load the patched kernel.
Conclusion
CVE‑2026-23111 illustrates how a seemingly minor logic error—a single misplaced “!”—can cascade into a powerful privilege‑escalation chain when combined with sophisticated heap manipulation and ROP techniques. The exploit’s reliability across idle and loaded systems underscores the practical risk to multi‑tenant environments, containers, and any scenario where unprivileged local access is possible. Prompt kernel updates remain the essential defense; auxiliary measures like restricting unprivileged namespaces can reduce attack surface but should not be relied upon as a sole protection. By staying current with vendor‑provided kernels and monitoring for further advisories, administrators can safeguard their systems against this and similar nftables‑related vulnerabilities.