CVE-2026-23111

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A use-after-free issue exists in the nf tables packet-filtering subsystem of the Linux kernel. The flaw is located in the nft map catchall activate() function, which contains an inverted element activity check. When a transaction deleting a catchall element inside an NFT SET MAP verdict map is aborted, the function incorrectly skips inactive elements and processes active ones. Consequently, nft setelem data activate() is never called for the catchall element, and for NFT GOTO verdict elements, nft data hold() is not called to restore the chain->use reference count.

Each abort cycle permanently decrements chain->use. Once this count reaches zero, a DELCHAIN operation can succeed and free the chain while catchall verdict elements still reference it. This can be exploited by an unprivileged local user to achieve local privilege escalation to root and container escape on distributions that enable CONFIG USER NS and CONFIG NF TABLES. The exploitation process involves crafted netlink batches to trigger the use-after-free, leak the kernel base to defeat KASLR (Kernel Address Space Layout Randomization), and execute a ROP (Return-Oriented Programming) chain to call commit creds(&init cred) and switch task namespaces().

Recommendations Update the Linux kernel to the version containing the fix applied on February 5, 2026. As a temporary mitigation, restrict unprivileged users from creating network namespaces by setting kernel.unprivileged userns clone=0.