Pwn2Own 2026 Linux Kernel Bug CVE-2022-1972 Disclosed: Out-of-Bounds Write in nf_tables_newset
Zero Day Initiative has disclosed CVE-2022-1972, a Linux kernel vulnerability in nf_tables_newset that allows local attackers to write past the end of an allocated buffer, potentially enabling privilege escalation to root.
The Zero Day Initiative (ZDI) has publicly disclosed a Linux kernel vulnerability, tracked as CVE-2022-1972 and assigned ZDI-26-193, which was demonstrated at Pwn2Own. The flaw resides in the `nf_tables_newset` function within the kernel's netfilter subsystem, a core component for packet filtering and network address translation. According to the advisory, the vulnerability allows a local attacker with low privileges to trigger an out-of-bounds write, potentially leading to information disclosure and, when combined with other bugs, full privilege escalation to root.
The specific issue stems from improper validation of user-supplied data when handling nft_objects. This can result in a write past the end of an allocated buffer, corrupting adjacent memory. While the CVSS score is relatively low at 3.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N), the advisory notes that an attacker can leverage this vulnerability in conjunction with other exploits to execute arbitrary code in the context of root. This makes it a critical piece in local privilege escalation chains, particularly on systems where attackers already have a foothold.
The vulnerability was reported to the Linux kernel security team on May 25, 2022, by Team Orca of Sea Security (@seasecresponse, security.sea.com). After nearly four years, the coordinated public release of the advisory occurred on March 16, 2026. Linux has issued an update to correct the issue, with details available through Ubuntu's security portal at https://ubuntu.com/security/CVE-2022-2078#notes. Users and administrators are strongly advised to apply the latest kernel patches as soon as possible.
The disclosure of CVE-2022-1972 highlights the ongoing importance of securing the Linux kernel's netfilter subsystem, which has been a frequent target for researchers at Pwn2Own and other competitions. The long timeline between reporting and public disclosure—nearly four years—underscores the complexity of patching deep-seated kernel flaws without introducing regressions. For enterprise and cloud environments running Linux, this vulnerability serves as a reminder that local privilege escalation bugs remain a persistent threat, especially when combined with other attack vectors.
As with many Pwn2Own disclosures, the full technical details and proof-of-concept code may become available in the coming weeks, potentially increasing the risk of in-the-wild exploitation. Organizations should prioritize patching and monitor for any signs of local privilege escalation attempts. The ZDI advisory credits Team Orca of Sea Security for discovering the flaw, marking another successful demonstration of kernel exploitation at the prestigious hacking contest.