The Linux kernel’s netfilter nf_tables subsystem handles packet filtering and sits under nftables. It has picked up another serious flaw: CVE-2026-23111, a use-after-free that lets a local, unprivileged user climb all the way to root. The odd part is that one character of source code both introduced the bug and fixed it.
What the vulnerability is
The bug lives in the nft_map_catchall_activate() function in net/netfilter/nf_tables_api.c. When an nftables transaction is aborted, that function carries an inverted condition: it processes the active elements and skips the inactive ones, the exact opposite of what the correct nft_mapelem_activate() does.
The effect is quiet but dangerous. When a DELSET operation is aborted, nft_setelem_data_activate() is never called again for the catchall element. With NFT_GOTO verdict elements, that means the chain->use reference counter is never restored. Each abort cycle permanently decrements that counter. Once chain->use hits zero, a DELCHAIN operation frees the chain while catchall elements still point at it, and that is where the use-after-free shows up.
From there, an attacker can leak the kernel base address, then a heap address, and finally run a ROP chain that pivots through msg_msg objects to gain root privileges.
Who is affected
The flaw reaches many Linux kernel branches: from the 5.4 series up to 6.18.10, covering 5.10, 5.15, 6.1, 6.6 and 6.12. In practice, the vulnerable systems are those with CONFIG_USER_NS (user namespaces) and CONFIG_NF_TABLES enabled, a common setup on both desktops and servers. Exploitation has been demonstrated on Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.
This matters because user namespaces let an unprivileged user manipulate nftables inside their own namespace, which drops the old barrier of “you must be root to touch netfilter.”
Severity
The CVSS 3.1 score is 7.8 (high), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It needs local access and low privileges, with no user interaction. The real-world danger climbs higher because, once the patch landed on 5 February 2026, working public exploits and proofs of concept appeared that reproduce the escalation to root reliably.
Mitigation and patch
The upstream patch, applied on 5 February 2026, comes down literally to removing one negation character (!) so the check matches nft_mapelem_activate(): skip active elements and process inactive ones.
What to do now:
- Update the kernel to a patched version (for example 5.10.249, 6.1.162, 6.6.122 or 6.12.71 or later) and reboot.
- If you cannot patch right away, disable unprivileged user namespaces when you do not need them:
sysctl -w kernel.unprivileged_userns_clone=0(on Debian/Ubuntu kernels) orsysctl -w user.max_user_namespaces=0. - Consider enabling security modules such as SELinux or AppArmor to cut down the attack surface of compromised processes.
Since this exploit leans on user namespaces, it is worth getting to know that technology in our article on namespaces and cgroups, and tightening process containment with SELinux and AppArmor.
You can check the affected component on /en/linux-kernel.
Source
- NVD - NIST: https://nvd.nist.gov/vuln/detail/CVE-2026-23111