CVE-2026-23111

HIGH

Linux Kernel < 5.15.200 Use-After-Free in nft_map_catchall_activate

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2026-23111. PoCs published by vrtlbob, bakano98, 0xBlackash.

AI-analyzed exploit summary This repository contains a bash script that scans for environmental prerequisites (unprivileged user namespaces and nf_tables module) related to CVE-2026-23111, a Linux kernel vulnerability. It does not exploit the vulnerability but assesses system exposure.

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.

Exploits (8)

github SCANNER 1 stars
by vrtlbob · shellpoc
https://github.com/vrtlbob/Linux-Kernel-Vulnerabilities-CVE-2026-23111

This repository contains a bash script that scans for environmental prerequisites (unprivileged user namespaces and nf_tables module) related to CVE-2026-23111, a Linux kernel vulnerability. It does not exploit the vulnerability but assesses system exposure.

Classification
Scanner 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Linux Kernel (specific version not specified)
No auth needed
Prerequisites: unprivileged user namespace allocation enabled · nf_tables kernel module loaded or present
mistral-large-3 · analyzed Jul 02, 2026 Full analysis →
github WORKING POC 1 stars
by bakano98 · cpoc
https://github.com/bakano98/cve-2026-23111-poc

This repository contains a functional exploit for CVE-2026-23111, targeting a Linux kernel vulnerability in the nf_tables subsystem. The exploit leverages heap manipulation and message queue spraying to achieve local privilege escalation (LPE) by corrupting kernel structures and executing arbitrary code in ring-0.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (nf_tables subsystem)
No auth needed
Prerequisites: Linux system with vulnerable kernel · unprivileged user access
mistral-large-3 · analyzed Jul 01, 2026 Full analysis →
github SCANNER 1 stars
by 0xBlackash · pythonpoc
https://github.com/0xBlackash/CVE-2026-23111

The repository contains a Python-based detection tool for CVE-2026-23111, a Use-After-Free vulnerability in the Linux kernel's nf_tables subsystem. It checks kernel versions and nftables availability to determine potential vulnerability status.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Linux Kernel nf_tables subsystem
No auth needed
Prerequisites: Linux system with nf_tables support
mistral-large-3 · analyzed Jun 09, 2026 Full analysis →
github WORKING POC
by Baba01hacker666 · cpoc
https://github.com/Baba01hacker666/CVE-2026-23111

This repository contains functional exploit code for CVE-2026-23111, a Linux kernel nf_tables use-after-free vulnerability leading to local privilege escalation. The exploit demonstrates a full chain including UAF trigger, KASLR/heap leaks, and ROP to achieve root.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel 5.15+ through < 6.18.10
No auth needed
Prerequisites: Linux kernel with nf_tables support · unprivileged user namespace access
mistral-large-3 · analyzed Jun 25, 2026 Full analysis →
github SCANNER
by ishankaru · shellpoc
https://github.com/ishankaru/CVE-2026-23111-nftables-lab

This repository provides a defensive scanner for CVE-2026-23111, a local privilege escalation vulnerability in the Linux kernel's nf_tables module. It includes scripts to check kernel exposure, verify unprivileged user namespace restrictions, and set up a lab environment for safe testing.

Classification
Scanner 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (nf_tables module)
No auth needed
Prerequisites: unprivileged user namespace access · nf_tables module presence
mistral-large-3 · analyzed Jun 11, 2026 Full analysis →
github SCANNER
by criann · shellpoc
https://github.com/criann/check-cve-2026-23111

This repository contains a defensive validation script for CVE-2026-23111, a Linux kernel vulnerability in nf_tables. The script checks for exposure conditions such as kernel version, module loading status, and runtime hardening settings without delivering an exploit.

Classification
Scanner 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (nf_tables)
No auth needed
Prerequisites: Linux kernel with nf_tables support · unprivileged user namespaces enabled
mistral-large-3 · analyzed Jun 11, 2026 Full analysis →
nomisec SCANNER
by seguridadentrerios · poc
https://github.com/seguridadentrerios/CVE-2026-23111

The repository contains a Bash script that scans for the presence of CVE-2026-23111 by checking kernel version, user namespace settings, and nf_tables module status. It does not include exploit code but provides detailed vulnerability assessment and mitigation suggestions.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (versions prior to 6.13)
No auth needed
Prerequisites: Linux system with kernel version < 6.13 · Access to system configuration files
mistral-large-3 · analyzed Jun 10, 2026 Full analysis →
github STUB
by HORKimhab · poc
https://github.com/HORKimhab/CVE-2026-23111

The repository contains only a template structure with no actual exploit code or technical details about CVE-2026-23111. It includes placeholder files like a README with generic usage instructions and a LICENSE file, but no functional PoC or analysis.

Classification
Stub 95%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
mistral-large-3 · analyzed Jun 09, 2026 Full analysis →

Scores

CVSS v3 7.8
EPSS 0.0034
EPSS Percentile 26.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-416 CWE-672
Status published
Products (32)
linux/Kernel < 5.15.200linux
linux/Kernel 5.16.0 - 6.1.163linux
linux/Kernel 6.2.0 - 6.6.124linux
linux/Kernel 6.4.0 - 6.12.70linux
linux/Kernel 6.7.0 - 6.18.10linux
Linux/Linux < 6.4
Linux/Linux 25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8 - 8c760ba4e36c750379d13569f23f5a6e185333f5
Linux/Linux 3c7ec098e3b588434a8b07ea9b5b36f04cef1f50
Linux/Linux 4.19.316 - 4.20
Linux/Linux 5.10.188 - 5.11
... and 22 more
Published Feb 13, 2026
Tracked Since Feb 18, 2026