CVE-2026-23111

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()<br /> <br /> nft_map_catchall_activate() has an inverted element activity check<br /> compared to its non-catchall counterpart nft_mapelem_activate() and<br /> compared to what is logically required.<br /> <br /> nft_map_catchall_activate() is called from the abort path to re-activate<br /> catchall map elements that were deactivated during a failed transaction.<br /> It should skip elements that are already active (they don&amp;#39;t need<br /> re-activation) and process elements that are inactive (they need to be<br /> restored). Instead, the current code does the opposite: it skips inactive<br /> elements and processes active ones.<br /> <br /> Compare the non-catchall activate callback, which is correct:<br /> <br /> nft_mapelem_activate():<br /> if (nft_set_elem_active(ext, iter-&gt;genmask))<br /> return 0; /* skip active, process inactive */<br /> <br /> With the buggy catchall version:<br /> <br /> nft_map_catchall_activate():<br /> if (!nft_set_elem_active(ext, genmask))<br /> continue; /* skip inactive, process active */<br /> <br /> The consequence is that when a DELSET operation is aborted,<br /> nft_setelem_data_activate() is never called for the catchall element.<br /> For NFT_GOTO verdict elements, this means nft_data_hold() is never<br /> called to restore the chain-&gt;use reference count. Each abort cycle<br /> permanently decrements chain-&gt;use. Once chain-&gt;use reaches zero,<br /> DELCHAIN succeeds and frees the chain while catchall verdict elements<br /> still reference it, resulting in a use-after-free.<br /> <br /> This is exploitable for local privilege escalation from an unprivileged<br /> user via user namespaces + nftables on distributions that enable<br /> CONFIG_USER_NS and CONFIG_NF_TABLES.<br /> <br /> Fix by removing the negation so the check matches nft_mapelem_activate():<br /> skip active elements, process inactive ones.