CVE-2026-23111
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Linux kernel Affected 3 releases
| Version | Status | Fixed in |
|---|---|---|
| 6.4 | Affected | โ |
| 6.19 | Affected | โ |
| โ | Affected | 4.20 |
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | perf-5.14.0-611.47.1.el9_7.aarch64.rpm |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 6.12.73-1 |
| sid | Fixed | 6.18.10-1 |
| forky | Fixed | 6.18.10-1 |
| bullseye | Fixed | 6.1.164-1~deb11u1 |
| bookworm | Fixed | 6.1.164-1 |
Red Hat Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
Rocky Linux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
References
- https://access.redhat.com/errata/RHSA-2026:6570
- https://www.suse.com/security/cve/CVE-2026-23111.html
- https://security-tracker.debian.org/tracker/CVE-2026-23111
- https://bugzilla.redhat.com/2376101
- https://bugzilla.redhat.com/2439687
- https://bugzilla.redhat.com/2439895
- https://bugzilla.redhat.com/2444376
- https://errata.almalinux.org/9/ALSA-2026-6570.html
- https://errata.rockylinux.org/RLSA-2026:6570
- https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd
- https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d
- https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081
- https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5
- https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f
- https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8
- https://cert-portal.siemens.com/productcert/html/ssa-253495.html
CWEs
CWE-416
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.