CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 08, 2026

New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root

Cybersecurity News Archived Jun 08, 2026 ✓ Full text saved

A use-after-free vulnerability in the Linux kernel’s nftables subsystem has been disclosed, enabling unprivileged local attackers to escalate privileges to root on widely deployed distributions including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. Tracked as CVE-2026-23111, the flaw was discovered in early 2025 and patched upstream on February 5, 2026, via […] The post New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root appeared first on Cyber Se

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root By Guru Baran June 8, 2026 A use-after-free vulnerability in the Linux kernel’s nftables subsystem has been disclosed, enabling unprivileged local attackers to escalate privileges to root on widely deployed distributions including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. Tracked as CVE-2026-23111, the flaw was discovered in early 2025 and patched upstream on February 5, 2026, via a kernel commit. Security researcher Oliver Sieber of Exodus Intelligence published a detailed technical write-up alongside a working exploit demonstrating >99% reliability on idle systems. The bug originates in the nft_map_catchall_activate() function within the nftables subsystem — a packet filtering framework built on top of Linux’s Netfilter hooks. Specifically, a single inverted conditional check (a misplaced ! operator) causes the function to incorrectly skip inactive catchall elements during the abort process, instead of reactivating them. When a pipapo-backed verdict map containing a catchall element referencing a chain is deleted and a subsequent transaction in the same batch fails, triggering an abort, the catchall element remains incorrectly inactive. This leaves the referenced chain’s reference counter at zero, even though a valid reference to that chain still exists. An attacker can then delete the chain while a dangling pointer remains in a base chain rule, triggering the use-after-free condition. Linux Kernel use-after-free Vulnerability The exploit chains four transaction batches to manipulate nftables’ generational cursor mechanism: Batch 1: Delete the pipapo set, then force an error to trigger the abort — causing the chain reference counter to decrement incorrectly Batch 2: Send a benign transaction to toggle the generation cursor Batch 3: Delete the pipapo set cleanly, driving the chain’s reference counter to zero Batch 4: Delete the chain while the base chain retains a live rule referencing it From there, the exploit performs KASLR defeat by reclaiming the freed kmalloc-cg-32 slab with a seq_operations structure (populated via open("/proc/self/stat")), leaking kernel function pointers through an NFT_MSG_GETRULE request. Heap addresses are subsequently leaked by reclaiming freed kmalloc-cg-192 objects with crafted nft_rule structures whose linked-list pointers are exfiltrated the same way. Control flow hijacking is achieved by overwriting the deleted chain’s blob_gen_0 pointer with a fake nft_expr_ops structure pointing to a ROP gadget (push rbx; pop rsp). The final ROP chain calls commit_creds(&init_cred) to gain root credentials, then escapes namespace isolation via switch_task_namespaces(), achieving a full container and namespace breakout. On Ubuntu 24.04, namespace creation restrictions enforced via AppArmor can be bypassed using aa-exec -p trinity -- unshare -Urmin /bin/sh prior to exploitation. Distribution Status Debian Bookworm Vulnerable Debian Trixie Vulnerable Ubuntu 22.04 LTS Vulnerable Ubuntu 24.04 LTS Vulnerable The exploit achieved >99% stability on idle systems and approximately 80% stability under heavy heap pressure (Apache benchmark via Phoronix Test Suite), making it highly reliable in real-world conditions, Oliver Sieber said. Notably, the same break statement that introduced this flaw also spawned a related bug tracked as CVE-2026-23278, patched separately via a second kernel commit. Administrators should immediately apply the upstream kernel patch (commit f41c5d1) or update to a patched kernel release provided by their distribution. On Ubuntu systems, restricting unprivileged user namespace creation via kernel.unprivileged_userns_clone=0 provides a partial mitigation where policy permits. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Critical StrongDM Vulnerability Allows Attackers to Steal and Reuse Authentication Chrome Patches 429 Vulnerabilities Including 22 Critical Ones – Update Now! CISA Warns of Linux Kernel Improper Authentication Vulnerability Exploited in Attacks Microsoft Edge Vulnerability Allows Remote Attackers to Execute Arbitrary Code SolyxImmortal Python Malware Steals Browser Passwords, Cookies, Files, and Keystrokes Latest News Cyber Security News New Pink Hacking Group Attacking Enterprise Users to Steal Cloud Storage Passwords Cyber Security News Malspam Attack Uses Google DoubleClick Redirects to Deliver Fileless .NET Loader Cyber Security News UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data Cyber Security News New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens With Hidden Remote Access Cyber Security WhatsApp Disrupts NSO-Linked Cyberattack Targeting Users with Pegasus Spyware
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 08, 2026
    Archived
    Jun 08, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗