CVE-2026-23111
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
13/02/2026
Última modificación:
13/02/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()<br />
<br />
nft_map_catchall_activate() has an inverted element activity check<br />
compared to its non-catchall counterpart nft_mapelem_activate() and<br />
compared to what is logically required.<br />
<br />
nft_map_catchall_activate() is called from the abort path to re-activate<br />
catchall map elements that were deactivated during a failed transaction.<br />
It should skip elements that are already active (they don&#39;t need<br />
re-activation) and process elements that are inactive (they need to be<br />
restored). Instead, the current code does the opposite: it skips inactive<br />
elements and processes active ones.<br />
<br />
Compare the non-catchall activate callback, which is correct:<br />
<br />
nft_mapelem_activate():<br />
if (nft_set_elem_active(ext, iter->genmask))<br />
return 0; /* skip active, process inactive */<br />
<br />
With the buggy catchall version:<br />
<br />
nft_map_catchall_activate():<br />
if (!nft_set_elem_active(ext, genmask))<br />
continue; /* skip inactive, process active */<br />
<br />
The consequence is that when a DELSET operation is aborted,<br />
nft_setelem_data_activate() is never called for the catchall element.<br />
For NFT_GOTO verdict elements, this means nft_data_hold() is never<br />
called to restore the chain->use reference count. Each abort cycle<br />
permanently decrements chain->use. Once chain->use reaches zero,<br />
DELCHAIN succeeds and frees the chain while catchall verdict elements<br />
still reference it, resulting in a use-after-free.<br />
<br />
This is exploitable for local privilege escalation from an unprivileged<br />
user via user namespaces + nftables on distributions that enable<br />
CONFIG_USER_NS and CONFIG_NF_TABLES.<br />
<br />
Fix by removing the negation so the check matches nft_mapelem_activate():<br />
skip active elements, process inactive ones.
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd
- https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d
- https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081
- https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5
- https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f
- https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8



