CVE-2026-23111
HIGHLinux Kernel < 5.15.200 Use-After-Free in nft_map_catchall_activate
Title source: llmExploitation Summary
EIP tracks 8 public exploits for CVE-2026-23111. PoCs published by vrtlbob, bakano98, 0xBlackash.
AI-analyzed exploit summary This repository contains a bash script that scans for environmental prerequisites (unprivileged user namespaces and nf_tables module) related to CVE-2026-23111, a Linux kernel vulnerability. It does not exploit the vulnerability but assesses system exposure.
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.
Exploits (8)
This repository contains a bash script that scans for environmental prerequisites (unprivileged user namespaces and nf_tables module) related to CVE-2026-23111, a Linux kernel vulnerability. It does not exploit the vulnerability but assesses system exposure.
This repository contains a functional exploit for CVE-2026-23111, targeting a Linux kernel vulnerability in the nf_tables subsystem. The exploit leverages heap manipulation and message queue spraying to achieve local privilege escalation (LPE) by corrupting kernel structures and executing arbitrary code in ring-0.
The repository contains a Python-based detection tool for CVE-2026-23111, a Use-After-Free vulnerability in the Linux kernel's nf_tables subsystem. It checks kernel versions and nftables availability to determine potential vulnerability status.
This repository contains functional exploit code for CVE-2026-23111, a Linux kernel nf_tables use-after-free vulnerability leading to local privilege escalation. The exploit demonstrates a full chain including UAF trigger, KASLR/heap leaks, and ROP to achieve root.
This repository provides a defensive scanner for CVE-2026-23111, a local privilege escalation vulnerability in the Linux kernel's nf_tables module. It includes scripts to check kernel exposure, verify unprivileged user namespace restrictions, and set up a lab environment for safe testing.
This repository contains a defensive validation script for CVE-2026-23111, a Linux kernel vulnerability in nf_tables. The script checks for exposure conditions such as kernel version, module loading status, and runtime hardening settings without delivering an exploit.
The repository contains a Bash script that scans for the presence of CVE-2026-23111 by checking kernel version, user namespace settings, and nf_tables module status. It does not include exploit code but provides detailed vulnerability assessment and mitigation suggestions.
The repository contains only a template structure with no actual exploit code or technical details about CVE-2026-23111. It includes placeholder files like a README with generic usage instructions and a LICENSE file, but no functional PoC or analysis.
References (16)
Scores
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H