A critical use-after-free vulnerability in the Linux kernel’s nftables subsystem has been publicly disclosed, enabling unprivileged local attackers to escalate privileges to root. A working exploit with over 99% reliability on idle systems has been published, making this a high-priority patch for any Linux administrator.
Vulnerability Overview
Tracked as CVE-2026-23111, the flaw was discovered in early 2025 and patched upstream on February 5, 2026, via a kernel commit. Security researcher Oliver Sieber of Exodus Intelligence published a detailed technical write-up alongside a working exploit demonstrating greater than 99% reliability on idle systems and approximately 80% stability under heavy heap pressure.
The bug originates in the nft_map_catchall_activate() function within the nftables subsystem — a packet filtering framework built on top of Linux’s Netfilter hooks. A single inverted conditional check (a misplaced ! operator) causes the function to incorrectly skip inactive catchall elements during the abort process, instead of reactivating them.
How the Exploit Works
The exploit chains four transaction batches to manipulate nftables’ generational cursor mechanism:
- Batch 1: Delete the pipapo set, then force an error to trigger the abort — causing the chain reference counter to decrement incorrectly
- Batch 2: Send a benign transaction to toggle the generation cursor
- Batch 3: Delete the pipapo set cleanly, driving the chain’s reference counter to zero
- Batch 4: Delete the chain while the base chain retains a live rule referencing it
From there, the exploit performs KASLR defeat by reclaiming freed memory with a seq_operations structure, leaking kernel function pointers. Heap addresses are subsequently leaked using crafted nft_rule structures. Control flow hijacking is achieved by overwriting a deleted chain’s pointer with a fake structure pointing to a ROP gadget, ultimately calling commit_creds(&init_cred) to gain root credentials and escaping namespace isolation.
On Ubuntu 24.04, namespace creation restrictions enforced via AppArmor can be bypassed using aa-exec -p trinity -- unshare -Urmin /bin/sh prior to exploitation.
Affected Distributions
The following widely deployed Linux distributions are confirmed vulnerable:
- Debian Bookworm
- Debian Trixie
- Ubuntu 22.04 LTS
- Ubuntu 24.04 LTS
Related Vulnerability: CVE-2026-23278
The same break statement that introduced CVE-2026-23111 also spawned a related bug tracked as CVE-2026-23278, patched separately via a second kernel commit. Administrators should ensure both patches are applied.
Mitigations and Recommendations
Administrators should immediately apply the upstream kernel patch (commit f41c5d1) or update to a patched kernel release provided by their distribution. On Ubuntu systems, restricting unprivileged user namespace creation provides a partial mitigation where policy permits:
- Apply kernel patch commit
f41c5d1or distribution-specific updates immediately - On Ubuntu: set
kernel.unprivileged_userns_clone=0as interim mitigation - Monitor for unusual nftables activity or unexpected privilege escalation attempts
- Audit systems for any signs of compromise, as the exploit is publicly available and highly reliable
The combination of a publicly available, highly reliable exploit targeting multiple major Linux distributions makes this a critical priority. Any organization running unpatched Debian or Ubuntu systems with untrusted local users should treat this as an emergency.