Pwn2Own Discovery: Linux Kernel nf_tables Use-After-Free Flaw (CVE-2022-32250) Allows Local Root Escalation
A use-after-free vulnerability in the Linux kernel's nf_tables subsystem, discovered at Pwn2Own and tracked as CVE-2022-32250, lets local attackers escalate privileges to root.
A use-after-free vulnerability in the Linux kernel's nf_tables subsystem, discovered by researcher Keith Yeo and demonstrated at the Pwn2Own hacking contest, allows local attackers to escalate privileges to root. The flaw, tracked as CVE-2022-32250 and assigned a CVSS score of 8.8, was publicly disclosed on March 16, 2026, by the Zero Day Initiative (ZDI) in advisory ZDI-26-191.
The vulnerability resides in the kernel's netfilter nf_tables component, which is used for packet filtering and network address translation. The specific flaw stems from improper validation of nft_objects before performing operations on them. An attacker who has already achieved low-privileged code execution on a target system can trigger a use-after-free condition, leading to memory corruption that can be leveraged to execute arbitrary code in the context of root.
The issue was reported to the Linux kernel maintainers on May 25, 2022, but the coordinated public advisory was only released on March 16, 2026, alongside the Pwn2Own demonstration. Linux has issued a fix for the vulnerability, and Ubuntu has provided updated packages via its security portal. The disclosure timeline suggests a lengthy patching process, which may have left systems exposed for an extended period.
The impact of CVE-2022-32250 is significant because the nf_tables subsystem is widely used across Linux distributions, including enterprise servers, cloud infrastructure, and embedded devices. A successful exploit could allow an attacker with local access to gain full root control, enabling them to install malware, exfiltrate data, or pivot to other systems. The CVSS score of 8.8 reflects the high confidentiality, integrity, and availability impact, though the attack vector is local.
While no active in-the-wild exploitation has been reported as of the advisory date, the public disclosure of the vulnerability and its demonstration at Pwn2Own increase the likelihood that threat actors will develop and deploy exploits. System administrators are urged to apply the kernel patch immediately, especially on systems where untrusted users have local access. Ubuntu users can update via the official security repository.
This disclosure adds to a growing list of privilege escalation vulnerabilities in the Linux kernel discovered through structured bug-hunting programs like Pwn2Own. The competition has historically driven the discovery of critical flaws in widely used software, and CVE-2022-32250 underscores the importance of rigorous memory safety validation in kernel subsystems. The lengthy gap between reporting and patching also highlights challenges in coordinating fixes across the open-source ecosystem.