CVE-2026-23111

Advisory lineage Upstream: 0 Downstream: 128
Modified
Published: 13 Feb 2026, 13:29
Last modified:02 Jun 2026, 13:00

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
7.8 HIGH
v3.1 (nvd)
EPSS Score
0.02% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

13 Feb 2026, 13:29
Published
Vulnerability first disclosed
02 Jun 2026, 13:00
Last Modified
Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.

CVSS Metrics

  • v3.1HIGHScore: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.02% Percentile: 5%

Techniques & Countermeasures

  • CWE-416Use After Free

    The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Affected Systems

  • linuxlinux

    ≥ 25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8, < 8c760ba4e36c750379d13569f23f5a6e185333f5 | ≥ d60be2da67d172aecf866302c91ea11533eca4d9, < b9b6573421de51829f7ec1cce76d85f5f6fbbd7f | ≥ 628bd3e49cba1c066228e23d71a852c23e26da73, < 42c574c1504aa089a0a142e4c13859327570473d | ≥ 628bd3e49cba1c066228e23d71a852c23e26da73, < 1444ff890b4653add12f734ffeffc173d42862dd | ≥ 628bd3e49cba1c066228e23d71a852c23e26da73, < 8b68a45f9722f2babe9e7bad00aa74638addf081 | ≥ 628bd3e49cba1c066228e23d71a852c23e26da73, < f41c5d151078c5348271ffaf8e7410d96f2d82f8 | bc9f791d2593f17e39f87c6e2b3a36549a3705b1 | 3c7ec098e3b588434a8b07ea9b5b36f04cef1f50 | a136b7942ad2a50de708f76ea299ccb45ac7a7f9 | dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41 | ≥ 5.15.121, < 5.15.200 | ≥ 6.1.36, < 6.1.163 | ≥ 4.19.316, < 4.20 | ≥ 5.4.262, < 5.5 | ≥ 5.10.188, < 5.11 | ≥ 6.3.10, < 6.4 | 6.4

  • linuxlinux_kernel

    ≥ 4.19.316, < 4.20 | ≥ 5.4.262, < 5.5 | ≥ 5.10.188, < 5.11 | ≥ 5.15.121, < 5.15.200 | ≥ 6.1.36, < 6.1.163 | ≥ 6.3.10, < 6.4 | ≥ 6.4.1, < 6.6.124 | ≥ 6.7, < 6.12.70 | ≥ 6.13, < 6.18.10 | 6.4 | 6.19:rc1 | 6.19:rc2 | 6.19:rc3 | 6.19:rc4 | 6.19:rc5 | 6.19:rc6 | 6.19:rc7 | 6.19:rc8

References (7)