CVE-2026-23111
Published: 13 February 2026
Summary
CVE-2026-23111 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-23111 is a use-after-free vulnerability (CWE-416) in the Linux kernel's netfilter nf_tables subsystem, stemming from an inverted genmask check in the nft_map_catchall_activate() function. This function, called during abort paths of failed transactions, incorrectly skips inactive catchall map elements and processes active ones, unlike the correct nft_mapelem_activate() counterpart. As a result, catchall elements are not properly reactivated, preventing nft_setelem_data_activate() from being called. For NFT_GOTO verdict elements, this fails to restore the chain->use reference count via nft_data_hold(), leading to permanent decrements until chain->use reaches zero, allowing DELCHAIN to free the chain while elements still reference it.
A local unprivileged attacker can exploit this vulnerability on distributions enabling CONFIG_USER_NS and CONFIG_NF_TABLES by triggering repeated abort cycles during DELSET operations via nftables in a user namespace. This culminates in a use-after-free of the chain structure, enabling local privilege escalation. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Kernel stable patches address the issue by removing the negation in nft_map_catchall_activate()'s activity check, aligning it with nft_mapelem_activate() to skip active elements and process inactive ones for proper restoration. Fixes are available in commits such as 1444ff890b4653add12f734ffeffc173d42862dd, 42c574c1504aa089a0a142e4c13859327570473d, 8b68a45f9722f2babe9e7bad00aa74638addf081, 8c760ba4e36c750379d13569f23f5a6e185333f5, and b9b6573421de51829f7ec1cce76d85f5f6fbbd7f on git.kernel.org/stable.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6170
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is…
more
called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct local kernel UAF exploit enabling privilege escalation from unprivileged user namespace context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the inverted genmask check in nft_map_catchall_activate() by applying available Linux kernel stable patches, preventing the use-after-free in nf_tables catchall elements.
Enforces secure kernel configuration settings such as disabling unprivileged user namespaces (kernel.unprivileged_userns_clone=0), blocking the prerequisite for local exploitation via CONFIG_USER_NS and CONFIG_NF_TABLES.
Implements kernel memory protections like KASLR, SMEP, and SMAP to hinder exploitation of the use-after-free vulnerability in the chain structure even if unpatched.