CVE-2026-23111 Overview
CVE-2026-23111 is a use-after-free vulnerability in the Linux kernel's netfilter nf_tables subsystem. The vulnerability exists in the nft_map_catchall_activate() function, which contains an inverted genmask check that causes incorrect handling of catchall map elements during transaction abort operations. This logic error can be exploited to achieve local privilege escalation from an unprivileged user on systems that enable user namespaces (CONFIG_USER_NS) and nftables (CONFIG_NF_TABLES).
Critical Impact
Local privilege escalation vulnerability allowing unprivileged users to gain root access through user namespaces and nftables manipulation on affected Linux kernel distributions.
Affected Products
- Linux kernel with CONFIG_NF_TABLES enabled
- Linux distributions with CONFIG_USER_NS enabled
- Kernel versions prior to the security patches
Discovery Timeline
- 2026-02-13 - CVE CVE-2026-23111 published to NVD
- 2026-02-13 - Last updated in NVD database
Technical Details for CVE-2026-23111
Vulnerability Analysis
The vulnerability stems from a logic inversion in the nft_map_catchall_activate() function within the kernel's netfilter nf_tables implementation. This function is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction.
The correct behavior should skip elements that are already active (no re-activation needed) and process elements that are inactive (need restoration). However, the buggy code does the opposite—it skips inactive elements and processes active ones.
For comparison, the non-catchall nft_mapelem_activate() function correctly implements:
if (nft_set_elem_active(ext, iter->genmask))
return 0; /* skip active, process inactive */
While the buggy catchall version incorrectly implements:
if (!nft_set_elem_active(ext, genmask))
continue; /* skip inactive, process active */
Root Cause
The root cause is the inverted conditional check in nft_map_catchall_activate(). The function uses !nft_set_elem_active() where it should use nft_set_elem_active() (without negation) to match the behavior of its non-catchall counterpart. This inversion causes the function to skip the very elements that need re-activation and process elements that don't.
Attack Vector
When a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element due to the logic inversion. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count.
Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, a DELCHAIN operation succeeds and frees the chain while catchall verdict elements still reference it. This results in a use-after-free condition that can be exploited for local privilege escalation.
The attack can be triggered by an unprivileged user through user namespaces combined with nftables on distributions that enable both CONFIG_USER_NS and CONFIG_NF_TABLES.
Detection Methods for CVE-2026-23111
Indicators of Compromise
- Unexpected nftables transaction abort sequences targeting catchall map elements
- Suspicious user namespace creation combined with nftables manipulation
- Kernel memory corruption artifacts or unexpected chain reference count behavior
- System instability or crashes related to netfilter operations
Detection Strategies
- Monitor for sequences of nftables operations involving DELSET followed by DELCHAIN commands from unprivileged users
- Deploy kernel audit rules to track nftables syscalls originating from user namespaces
- Implement detection for unusual reference count decrements on nf_tables chain objects
- Use kernel tracing (ftrace/BPF) to monitor nft_map_catchall_activate() and related functions
Monitoring Recommendations
- Enable and monitor kernel audit logs for netfilter-related syscalls
- Deploy memory corruption detection tools on critical systems
- Monitor for privilege escalation indicators following nftables operations
- Review system logs for signs of nf_tables-related kernel warnings or errors
How to Mitigate CVE-2026-23111
Immediate Actions Required
- Apply the kernel security patches immediately on all affected systems
- Consider disabling user namespaces (CONFIG_USER_NS=n) if not required for operations
- Restrict access to nftables via kernel capabilities where possible
- Monitor for suspicious nftables activity from unprivileged users
Patch Information
The Linux kernel maintainers have released patches to fix this vulnerability. The fix removes the negation in the conditional check so that nft_map_catchall_activate() matches the correct behavior of nft_mapelem_activate(): skipping active elements and processing inactive ones.
Security patches are available through the following kernel commits:
- Kernel Commit 1444ff8
- Kernel Commit 42c574c
- Kernel Commit 8b68a45
- Kernel Commit 8c760ba
- Kernel Commit b9b6573
- Kernel Commit f41c5d1
Workarounds
- Disable user namespaces for unprivileged users via sysctl kernel.unprivileged_userns_clone=0
- Restrict nftables access using kernel capabilities (CAP_NET_ADMIN)
- Use network namespaces with appropriate access controls
- Consider using iptables-legacy as an alternative to nftables until patching is complete
# Disable unprivileged user namespaces as a mitigation
echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-disable-unpriv-userns.conf
sysctl -p /etc/sysctl.d/99-disable-unpriv-userns.conf
# Verify the setting is applied
sysctl kernel.unprivileged_userns_clone
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
