7.8
CVE-2026-23111
- EPSS 0.34%
- Veröffentlicht 13.02.2026 13:29:55
- Zuletzt bearbeitet 30.06.2026 03:17:30
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
nft_map_catchall_activate() has an inverted element activity check
compared to its non-catchall counterpart nft_mapelem_activate() and
compared to what is logically required.
nft_map_catchall_activate() is called from the abort path to re-activate
catchall map elements that were deactivated during a failed transaction.
It should skip elements that are already active (they don't need
re-activation) and process elements that are inactive (they need to be
restored). Instead, the current code does the opposite: it skips inactive
elements and processes active ones.
Compare the non-catchall activate callback, which is correct:
nft_mapelem_activate():
if (nft_set_elem_active(ext, iter->genmask))
return 0; /* skip active, process inactive */
With the buggy catchall version:
nft_map_catchall_activate():
if (!nft_set_elem_active(ext, genmask))
continue; /* skip inactive, process active */
The consequence is that when a DELSET operation is aborted,
nft_setelem_data_activate() is never called for the catchall element.
For NFT_GOTO verdict elements, this means nft_data_hold() is never
called to restore the chain->use reference count. Each abort cycle
permanently decrements chain->use. Once chain->use reaches zero,
DELCHAIN succeeds and frees the chain while catchall verdict elements
still reference it, resulting in a use-after-free.
This is exploitable for local privilege escalation from an unprivileged
user via user namespaces + nftables on distributions that enable
CONFIG_USER_NS and CONFIG_NF_TABLES.
Fix by removing the negation so the check matches nft_mapelem_activate():
skip active elements, process inactive ones.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 4.19.316 < 4.20
Linux ≫ Linux Kernel Version >= 5.4.262 < 5.5
Linux ≫ Linux Kernel Version >= 5.10.188 < 5.11
Linux ≫ Linux Kernel Version >= 5.15.121 < 5.15.200
Linux ≫ Linux Kernel Version >= 6.1.36 < 6.1.163
Linux ≫ Linux Kernel Version >= 6.3.10 < 6.4
Linux ≫ Linux Kernel Version >= 6.4.1 < 6.6.124
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.70
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.10
Linux ≫ Linux Kernel Version6.4 Update-
Linux ≫ Linux Kernel Version6.19 Updaterc1
Linux ≫ Linux Kernel Version6.19 Updaterc2
Linux ≫ Linux Kernel Version6.19 Updaterc3
Linux ≫ Linux Kernel Version6.19 Updaterc4
Linux ≫ Linux Kernel Version6.19 Updaterc5
Linux ≫ Linux Kernel Version6.19 Updaterc6
Linux ≫ Linux Kernel Version6.19 Updaterc7
Linux ≫ Linux Kernel Version6.19 Updaterc8
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.34% | 0.263 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-672 Operation on a Resource after Expiration or Release
The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5
https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f
https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d
https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd
https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081
https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8
https://cert-portal.siemens.com/productcert/html/ssa-253495.html
https://access.redhat.com/errata/RHSA-2026:10108
https://access.redhat.com/errata/RHSA-2026:10996
https://access.redhat.com/errata/RHSA-2026:18134
https://access.redhat.com/errata/RHSA-2026:6570
https://access.redhat.com/errata/RHSA-2026:9112
https://access.redhat.com/security/cve/CVE-2026-23111
https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/
https://bugzilla.redhat.com/show_bug.cgi?id=2439687
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23111.json