CVE-2026-23111
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
13/02/2026
Last modified:
03/04/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()<br />
<br />
nft_map_catchall_activate() has an inverted element activity check<br />
compared to its non-catchall counterpart nft_mapelem_activate() and<br />
compared to what is logically required.<br />
<br />
nft_map_catchall_activate() is called from the abort path to re-activate<br />
catchall map elements that were deactivated during a failed transaction.<br />
It should skip elements that are already active (they don&#39;t need<br />
re-activation) and process elements that are inactive (they need to be<br />
restored). Instead, the current code does the opposite: it skips inactive<br />
elements and processes active ones.<br />
<br />
Compare the non-catchall activate callback, which is correct:<br />
<br />
nft_mapelem_activate():<br />
if (nft_set_elem_active(ext, iter->genmask))<br />
return 0; /* skip active, process inactive */<br />
<br />
With the buggy catchall version:<br />
<br />
nft_map_catchall_activate():<br />
if (!nft_set_elem_active(ext, genmask))<br />
continue; /* skip inactive, process active */<br />
<br />
The consequence is that when a DELSET operation is aborted,<br />
nft_setelem_data_activate() is never called for the catchall element.<br />
For NFT_GOTO verdict elements, this means nft_data_hold() is never<br />
called to restore the chain->use reference count. Each abort cycle<br />
permanently decrements chain->use. Once chain->use reaches zero,<br />
DELCHAIN succeeds and frees the chain while catchall verdict elements<br />
still reference it, resulting in a use-after-free.<br />
<br />
This is exploitable for local privilege escalation from an unprivileged<br />
user via user namespaces + nftables on distributions that enable<br />
CONFIG_USER_NS and CONFIG_NF_TABLES.<br />
<br />
Fix by removing the negation so the check matches nft_mapelem_activate():<br />
skip active elements, process inactive ones.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.19.316 (including) | 4.20 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4.262 (including) | 5.5 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.188 (including) | 5.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.121 (including) | 5.15.200 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.36 (including) | 6.1.163 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.3.10 (including) | 6.4 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.4.1 (including) | 6.6.124 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.70 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.10 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.4:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd
- https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d
- https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081
- https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5
- https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f
- https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8