Skip to content
hacker_posts

Linux nf_tables CVE-2026-23111: full LPE chain now public via Exodus

Exodus Intelligence published a complete local root exploit for CVE-2026-23111 — a one-character nf_tables UAF patched upstream Feb 5. Container escape on default distros.

Published 6 min read
cvelinuxkernelexploitexplainer

Exodus Intelligence published a full technical walkthrough and working exploit for CVE-2026-23111 on June 8, 2026 — a use-after-free in the Linux kernel's nf_tables netfilter subsystem that takes any unprivileged local user to root, and any unprivileged container to host. The upstream fix shipped on February 5, 2026 as a one-character patch (a stray ! removed in nft_map_catchall_activate()). Distros backported through February and March. The gap between the silent kernel.org commit and a public chain is now closed.

If your fleet is on a vendor kernel released before March 2026 and you have not rebooted into the patched build, treat this as a kernel-patch fire drill, not a low-priority LPE.

The bug

The flaw is in nft_map_catchall_activate(), the function nf_tables calls when it has to re-activate set elements during the abort phase of a transaction that fails. The catchall variant carries an inverted genmask check compared to its non-catchall sibling, nft_mapelem_activate(). The function ends up skipping the inactive elements it was supposed to reactivate, leaving reference counters in a permanently corrupted state. From there, an attacker can free an element and then reach it through a dangling reference — a textbook use-after-free.

The upstream commit message — "netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()" — describes the fix in one line: the negation was wrong, drop it. The patch lands as commit f41c5d151078c5348271ffaf8e7410d96f2d82f8 in the netfilter tree, picked up across stable branches from there.

What turns the UAF into a privilege escalation is unprivileged user namespaces: CONFIG_USER_NS plus CONFIG_NF_TABLES, both enabled by default on most desktop distributions and a large share of server defaults. An ordinary local user can create a network namespace, load nf_tables rules inside it, drive the buggy code path, and from there leak the kernel base, leak a heap address, and stack-pivot into msg_msg allocations to land a ROP chain at root. The Exodus writeup is the canonical sequence; FuzzingLabs independently reproduced the same bug with a different exploit chain on April 16, 2026, ahead of Pwn2Own Berlin.

Affected versions and patch status

Per Ubuntu's CVE tracker, the bug is rated CVSS 7.8 (High). Per the kernel.org commit and downstream advisories:

  • Upstream Linux kernel vulnerable until commit f41c5d151078c5348271ffaf8e7410d96f2d82f8 (Feb 5, 2026). Backported into stable trees through February and March.
  • Ubuntu publishes fixes for 22.04, 24.04, and 25.10 in the corresponding USN advisories — see Ubuntu's CVE-2026-23111 page.
  • Debian patched Bookworm and Trixie; a 6.1 backport ships for Bullseye LTS — see the Debian security tracker entry.
  • Red Hat Enterprise Linux carries the fix in RHSA-2026:10996; Red Hat rates the impact Important.
  • SUSE ships the fix in SUSE-SU-2026:21217-1 and matching live-patch streams.

The exposed population is every Linux host whose running kernel predates the February 2026 stable releases — including any host that has been patched on disk but not rebooted into the new kernel, and any live-patch tier that quietly skipped this CVE.

Exploitation status

There is no remote vector. The attacker needs a local shell or code execution inside a container; what they get from the chain is full root and a container escape. That makes the exposure shape:

  • Multi-tenant Linux hosts — shared developer boxes, CI build farms, SaaS sandboxes.
  • Container platforms that allow CAP_SYS_ADMIN in user namespaces or otherwise leave the default CONFIG_USER_NS path open.
  • Compromised-application pivots — any web app, SSH foothold, or service account confined behind nominal "least privilege" rides this chain straight through to root.

There is no named in-the-wild exploitation attached to CVE-2026-23111 specifically — neither CISA KEV nor the vendor advisories list active mass exploitation as of June 8. The two public exploit codebases — Exodus (June 8) and FuzzingLabs (April 16) — close the gap between the silent fix and weaponisation; expect this CVE to surface in CTF-style operator playbooks within days, then in commodity post-exploitation kits within weeks.

Action checklist

  1. Inventory kernels by running version, not package version. A host whose kernel package was updated but never rebooted is still vulnerable. Pull uname -r across the fleet and cross-reference each line against the patched stream for that distro.
  2. Patch and reboot the multi-tenant population first — shared developer servers, CI runners, Kubernetes nodes, anything where the attacker primitive (unprivileged local shell) is cheap to obtain. Container hosts running customer code are the highest-priority cohort.
  3. Audit CONFIG_USER_NS exposure on hardened workloads where you do not need user namespaces. Setting kernel.unprivileged_userns_clone = 0 (Debian/Ubuntu) or user.max_user_namespaces = 0 (per-namespace) breaks the exploit's setup phase. This is a stopgap, not a substitute for patching.
  4. Audit CONFIG_NF_TABLES loading paths. nf_tables is not strictly required on every host; on appliances and minimal runtimes, blocking the nf_tables module load (install nf_tables /bin/true in modprobe.d) removes the bug surface entirely.
  5. For container platforms: confirm the host kernel under your nodes is on the patched build. A patched container image does not protect a vulnerable host kernel, and vice-versa — the kernel is shared.
  6. Watch the post-exploitation tells: unexpected unshare(CLONE_NEWUSER | CLONE_NEWNET) from non-root processes, sudden nft invocations from web-application service accounts, and root-process spawns from unexpected parents in audit logs. The exploit's setup phase is noisy in the right telemetry.

Context

nf_tables has been one of the kernel's most fertile LPE surfaces for three years running. The 2023 cycle delivered CVE-2023-31248 and CVE-2023-35001 — both UAFs in the same subsystem, both reachable via unprivileged user namespaces, both popular Pwn2Own targets. 2024 added CVE-2024-1086, exploited in the wild and added to CISA KEV. CVE-2026-23111 is the next entry in the same lineage: small logic bug, default-on attack surface, full local-root impact, full container escape.

The structural lesson, again, is that unprivileged user namespaces + nf_tables is the most weaponisable kernel surface in modern Linux. Hardened-server fleets that turned off unprivileged_userns_clone years ago and never turned it back on are quietly enjoying the dividends of that decision. Everyone else is on the patch-then-reboot treadmill — and "patched" only counts after the reboot.

What other outlets missed

Most secondary coverage frames this as "the one-character fix" or "the Exodus PoC drop." Both are accurate but understate the operational point: the FuzzingLabs reproduction was public on April 16, eight weeks before the Exodus write-up. Any fleet whose patch SLO measures from a public-exploit milestone has been exposed since April, not June. If the Pwn2Own Berlin entries already used this bug class, treat the unmonitored window as starting then.

Related stories