New Linux Kernel Flaw Allows Root Privilege Escalation

Details have emerged regarding a use-after-free vulnerability in the Linux kernel’s nftables subsystem. This flaw enables unprivileged local attackers to escalate privileges to root on widely deployed distributions, including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS.

Tracked as CVE-2026-23111, the flaw was discovered in early 2025 and patched upstream on February 5, 2026, via a kernel commit. Security researcher Oliver Sieber of Exodus Intelligence published a detailed technical write-up alongside a working exploit demonstrating >99% reliability on idle systems.

The bug originates in the nft_map_catchall_activate() function within the nftables subsystem — a packet filtering framework built on top of Linux’s Netfilter hooks.

Specifically, a single inverted conditional check (a misplaced ! operator) causes the function to incorrectly skip inactive catchall elements during the abort process, instead of reactivating them.

When a pipapo-backed verdict map containing a catchall element referencing a chain is deleted and a subsequent transaction in the same batch fails, triggering an abort, the catchall element remains incorrectly inactive.

This leaves the referenced chain’s reference counter at zero, even though a valid reference to that chain still exists. An attacker can then delete the chain while a dangling pointer remains in a base chain rule, triggering the use-after-free condition.

Linux Kernel use-after-free Vulnerability

The exploit chains four transaction batches to manipulate nftables’ generational cursor mechanism:

• Batch 1: Delete the pipapo set, then force an error to trigger the abort — causing the chain reference counter to decrement incorrectly
• Batch 2: Send a benign transaction to toggle the generation cursor
• Batch 3: Delete the pipapo set cleanly, driving the chain’s reference counter to zero
• Batch 4: Delete the chain while the base chain retains a live rule referencing it

From there, the exploit performs KASLR defeat by reclaiming the freed kmalloc-cg-32 slab with a seq_operations structure (populated via open("/proc/self/stat")), leaking kernel function pointers through an NFT_MSG_GETRULE request.

Heap addresses are subsequently leaked by reclaiming freed kmalloc-cg-192 objects with crafted nft_rule structures whose linked-list pointers are exfiltrated the same way.

Control flow hijacking is achieved by overwriting the deleted chain’s blob_gen_0 pointer with a fake nft_expr_ops structure pointing to a ROP gadget (push rbx; pop rsp). The final ROP chain calls commit_creds(&init_cred) to gain root credentials, then escapes namespace isolation via switch_task_namespaces(), achieving a full container and namespace breakout.

On Ubuntu 24.04, namespace creation restrictions enforced via AppArmor can be bypassed using aa-exec -p trinity -- unshare -Urmin /bin/sh prior to exploitation.

The exploit achieved >99% stability on idle systems and approximately 80% stability under heavy heap pressure (Apache benchmark via Phoronix Test Suite), making it highly reliable in real-world conditions, Oliver Sieber said.

Notably, the same break statement that introduced this flaw also spawned a related bug tracked as CVE-2026-23278, patched separately via a second kernel commit.

Administrators should immediately apply the upstream kernel patch (commit f41c5d1) or update to a patched kernel release provided by their distribution.

On Ubuntu systems, restricting unprivileged user namespace creation via kernel.unprivileged_userns_clone=0 provides a partial mitigation where policy permits.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.