Cyber Resilience

CVE-2026-23111

HighUpdated

Published: 13 February 2026

Published
13 February 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23111 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-23111 is a use-after-free vulnerability (CWE-416) in the Linux kernel's netfilter nf_tables subsystem, stemming from an inverted genmask check in the nft_map_catchall_activate() function. This function, called during abort paths of failed transactions, incorrectly skips inactive catchall map elements and processes active ones, unlike the correct nft_mapelem_activate() counterpart. As a result, catchall elements are not properly reactivated, preventing nft_setelem_data_activate() from being called. For NFT_GOTO verdict elements, this fails to restore the chain->use reference count via nft_data_hold(), leading to permanent decrements until chain->use reaches zero, allowing DELCHAIN to free the chain while elements still reference it.

A local unprivileged attacker can exploit this vulnerability on distributions enabling CONFIG_USER_NS and CONFIG_NF_TABLES by triggering repeated abort cycles during DELSET operations via nftables in a user namespace. This culminates in a use-after-free of the chain structure, enabling local privilege escalation. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Kernel stable patches address the issue by removing the negation in nft_map_catchall_activate()'s activity check, aligning it with nft_mapelem_activate() to skip active elements and process inactive ones for proper restoration. Fixes are available in commits such as 1444ff890b4653add12f734ffeffc173d42862dd, 42c574c1504aa089a0a142e4c13859327570473d, 8b68a45f9722f2babe9e7bad00aa74638addf081, 8c760ba4e36c750379d13569f23f5a6e185333f5, and b9b6573421de51829f7ec1cce76d85f5f6fbbd7f on git.kernel.org/stable.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is…

more

called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local kernel UAF exploit enabling privilege escalation from unprivileged user namespace context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel
CVE-2026-23077Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19, 6.4 · 4.19.316 — 4.20 · 5.4.262 — 5.5 · 5.10.188 — 5.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the inverted genmask check in nft_map_catchall_activate() by applying available Linux kernel stable patches, preventing the use-after-free in nf_tables catchall elements.

prevent

Enforces secure kernel configuration settings such as disabling unprivileged user namespaces (kernel.unprivileged_userns_clone=0), blocking the prerequisite for local exploitation via CONFIG_USER_NS and CONFIG_NF_TABLES.

prevent

Implements kernel memory protections like KASLR, SMEP, and SMAP to hinder exploitation of the use-after-free vulnerability in the chain structure even if unpatched.

References