Linux Kernel nftables Vulnerability Allows Privilege Escalation to Root
A use-after-free vulnerability in the Linux kernel's nftables subsystem, tracked as CVE-2026-23111, enables unprivileged local attackers to gain root privileges on Debian and Ubuntu systems.
A critical use-after-free vulnerability has been discovered in the Linux kernel's nftables subsystem, allowing unprivileged local attackers to escalate their privileges to root. This flaw, identified as CVE-2026-23111, affects widely used distributions including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. The vulnerability was patched upstream on February 5, 2026, following its discovery in early 2025.
Security researcher Oliver Sieber from Exodus Intelligence has published a detailed technical analysis and a reliable exploit for this vulnerability. The exploit demonstrates a high success rate, achieving 99% stability on idle systems and approximately 80% under heavy heap pressure. The root cause lies within the nft_map_catchall_activate() function in the nftables packet filtering framework. A subtle logic error, specifically a misplaced negation operator, causes the function to incorrectly skip inactive catchall elements during an abort process.
This misstep leads to a situation where, after a transaction batch fails and triggers an abort, a catchall element remains inactive even though a valid reference to its associated chain still exists. The chain's reference counter is decremented incorrectly, leaving a dangling pointer. An attacker can then exploit this by deleting the chain while a base chain rule still holds a live reference to it, thereby triggering the use-after-free condition.
The exploit meticulously chains together four transaction batches to manipulate nftables' generational cursor mechanism. Initially, the attacker deletes a pipapo set and forces an error to trigger the abort, leading to the incorrect reference count. Subsequent batches are used to toggle the generation cursor, cleanly delete the pipapo set to drive the chain's reference counter to zero, and finally delete the chain itself while a base chain rule still references it.
Following the use-after-free, the exploit proceeds to defeat Kernel Address Space Layout Randomization (KASLR) by reclaiming the freed slab memory with a seq_operations structure. Kernel function pointers are then leaked using an NFT_MSG_GETRULE request. Heap addresses are similarly leaked by reclaiming freed objects with crafted nft_rule structures.
Control flow hijacking is achieved by overwriting a pointer within the deleted chain's data structure with a fake nft_expr_ops structure. This fake structure points to a Return-Oriented Programming (ROP) gadget. The final ROP chain executes commit_creds(&init_cred) to grant root privileges and then uses switch_task_namespaces() to break out of container and namespace isolation.
For Ubuntu systems, an additional step is required to bypass AppArmor restrictions on unprivileged user namespace creation. This is achieved by executing aa-exec -p trinity -- unshare -Urmin /bin/sh before initiating the main exploit chain. The vulnerability's patch is available upstream as commit f41c5d1, and administrators are urged to apply it immediately or update to a patched kernel release from their respective distributions.
Notably, the same code change that introduced CVE-2026-23111 also created a related bug, CVE-2026-23278, which has been patched separately. While kernel.unprivileged_userns_clone=0 can offer partial mitigation on Ubuntu systems by restricting user namespace creation, applying the full kernel patch remains the most effective solution.