New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root
Cybersecurity NewsArchived Jun 08, 2026✓ Full text saved
A use-after-free vulnerability in the Linux kernel’s nftables subsystem has been disclosed, enabling unprivileged local attackers to escalate privileges to root on widely deployed distributions including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. Tracked as CVE-2026-23111, the flaw was discovered in early 2025 and patched upstream on February 5, 2026, via […] The post New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root appeared first on Cyber Se
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root
By Guru Baran
June 8, 2026
A use-after-free vulnerability in the Linux kernel’s nftables subsystem has been disclosed, enabling unprivileged local attackers to escalate privileges to root on widely deployed distributions including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS.
Tracked as CVE-2026-23111, the flaw was discovered in early 2025 and patched upstream on February 5, 2026, via a kernel commit. Security researcher Oliver Sieber of Exodus Intelligence published a detailed technical write-up alongside a working exploit demonstrating >99% reliability on idle systems.
The bug originates in the nft_map_catchall_activate() function within the nftables subsystem — a packet filtering framework built on top of Linux’s Netfilter hooks.
Specifically, a single inverted conditional check (a misplaced ! operator) causes the function to incorrectly skip inactive catchall elements during the abort process, instead of reactivating them.
When a pipapo-backed verdict map containing a catchall element referencing a chain is deleted and a subsequent transaction in the same batch fails, triggering an abort, the catchall element remains incorrectly inactive.
This leaves the referenced chain’s reference counter at zero, even though a valid reference to that chain still exists. An attacker can then delete the chain while a dangling pointer remains in a base chain rule, triggering the use-after-free condition.
Linux Kernel use-after-free Vulnerability
The exploit chains four transaction batches to manipulate nftables’ generational cursor mechanism:
Batch 1: Delete the pipapo set, then force an error to trigger the abort — causing the chain reference counter to decrement incorrectly
Batch 2: Send a benign transaction to toggle the generation cursor
Batch 3: Delete the pipapo set cleanly, driving the chain’s reference counter to zero
Batch 4: Delete the chain while the base chain retains a live rule referencing it
From there, the exploit performs KASLR defeat by reclaiming the freed kmalloc-cg-32 slab with a seq_operations structure (populated via open("/proc/self/stat")), leaking kernel function pointers through an NFT_MSG_GETRULE request.
Heap addresses are subsequently leaked by reclaiming freed kmalloc-cg-192 objects with crafted nft_rule structures whose linked-list pointers are exfiltrated the same way.
Control flow hijacking is achieved by overwriting the deleted chain’s blob_gen_0 pointer with a fake nft_expr_ops structure pointing to a ROP gadget (push rbx; pop rsp). The final ROP chain calls commit_creds(&init_cred) to gain root credentials, then escapes namespace isolation via switch_task_namespaces(), achieving a full container and namespace breakout.
On Ubuntu 24.04, namespace creation restrictions enforced via AppArmor can be bypassed using aa-exec -p trinity -- unshare -Urmin /bin/sh prior to exploitation.
Distribution Status
Debian Bookworm Vulnerable
Debian Trixie Vulnerable
Ubuntu 22.04 LTS Vulnerable
Ubuntu 24.04 LTS Vulnerable
The exploit achieved >99% stability on idle systems and approximately 80% stability under heavy heap pressure (Apache benchmark via Phoronix Test Suite), making it highly reliable in real-world conditions, Oliver Sieber said.
Notably, the same break statement that introduced this flaw also spawned a related bug tracked as CVE-2026-23278, patched separately via a second kernel commit.
Administrators should immediately apply the upstream kernel patch (commit f41c5d1) or update to a patched kernel release provided by their distribution.
On Ubuntu systems, restricting unprivileged user namespace creation via kernel.unprivileged_userns_clone=0 provides a partial mitigation where policy permits.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
vulnerability
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Critical StrongDM Vulnerability Allows Attackers to Steal and Reuse Authentication
Chrome Patches 429 Vulnerabilities Including 22 Critical Ones – Update Now!
CISA Warns of Linux Kernel Improper Authentication Vulnerability Exploited in Attacks
Microsoft Edge Vulnerability Allows Remote Attackers to Execute Arbitrary Code
SolyxImmortal Python Malware Steals Browser Passwords, Cookies, Files, and Keystrokes
Latest News
Cyber Security News
New Pink Hacking Group Attacking Enterprise Users to Steal Cloud Storage Passwords
Cyber Security News
Malspam Attack Uses Google DoubleClick Redirects to Deliver Fileless .NET Loader
Cyber Security News
UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data
Cyber Security News
New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens With Hidden Remote Access
Cyber Security
WhatsApp Disrupts NSO-Linked Cyberattack Targeting Users with Pegasus Spyware