HOMEVULNERABILITIESCVE-2026-23111
HIGH

CVE-2026-23111

Published: February 13, 2026· Updated: Feb 13, 2026

EPSS:0.03%probability of exploitation in 30 daysPercentile:9.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()

nft_map_catchall_activate() has an inverted element activity check

compared to its non-catchall counterpart nft_mapelem_activate() and

compared to what is logically required.

nft_map_catchall_activate() is called from the abort path to re-activate

catchall map elements that were deactivated during a failed transaction.

It should skip elements that are already active (they don't need

re-activation) and process elements that are inactive (they need to be

restored). Instead, the current code does the opposite: it skips inactive

elements and processes active ones.

Compare the non-catchall activate callback, which is correct:

nft_mapelem_activate():

if (nft_set_elem_active(ext, iter->genmask))

return 0; /* skip active, process inactive */

With the buggy catchall version:

nft_map_catchall_activate():

if (!nft_set_elem_active(ext, genmask))

continue; /* skip inactive, process active */

The consequence is that when a DELSET operation is aborted,

nft_setelem_data_activate() is never called for the catchall element.

For NFT_GOTO verdict elements, this means nft_data_hold() is never

called to restore the chain->use reference count. Each abort cycle

permanently decrements chain->use. Once chain->use reaches zero,

DELCHAIN succeeds and frees the chain while catchall verdict elements

still reference it, resulting in a use-after-free.

This is exploitable for local privilege escalation from an unprivileged

user via user namespaces + nftables on distributions that enable

CONFIG_USER_NS and CONFIG_NF_TABLES.

Fix by removing the negation so the check matches nft_mapelem_activate():

skip active elements, process inactive ones.

NVD Source

Technical Analysis

CVE-2026-23111 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2026-23111

One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public
The Hacker News· Jun 8, 2026

Security researchers have published a detailed, working exploit for a Linux kernel use-after-free that lets an unprivileged local user escalate to root and break out of a container. The flaw, CVE-2026-23111, sits in the kernel's nf_tables packet-filtering code and was patched upstream on February 5, 2026. Exodus Intelligence released its full technical walkthrough on June 8, and it is not even [xlite_meta score:50 src:The Hacker News xlite_fp:f3f56c213fccc713537bd0df744f2dff8ad5966a96f3dd85b260ce4ab1f006ad]

All References (6)

Quick Facts

CVE IDCVE-2026-23111
SeverityHIGH
CISA KEVNo
EPSS (30d)0.03%
PublishedFeb 13, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23111 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.