7.8

CVE-2026-23111

Medienbericht

netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()

nft_map_catchall_activate() has an inverted element activity check
compared to its non-catchall counterpart nft_mapelem_activate() and
compared to what is logically required.

nft_map_catchall_activate() is called from the abort path to re-activate
catchall map elements that were deactivated during a failed transaction.
It should skip elements that are already active (they don't need
re-activation) and process elements that are inactive (they need to be
restored). Instead, the current code does the opposite: it skips inactive
elements and processes active ones.

Compare the non-catchall activate callback, which is correct:

  nft_mapelem_activate():
    if (nft_set_elem_active(ext, iter->genmask))
        return 0;   /* skip active, process inactive */

With the buggy catchall version:

  nft_map_catchall_activate():
    if (!nft_set_elem_active(ext, genmask))
        continue;   /* skip inactive, process active */

The consequence is that when a DELSET operation is aborted,
nft_setelem_data_activate() is never called for the catchall element.
For NFT_GOTO verdict elements, this means nft_data_hold() is never
called to restore the chain->use reference count. Each abort cycle
permanently decrements chain->use. Once chain->use reaches zero,
DELCHAIN succeeds and frees the chain while catchall verdict elements
still reference it, resulting in a use-after-free.

This is exploitable for local privilege escalation from an unprivileged
user via user namespaces + nftables on distributions that enable
CONFIG_USER_NS and CONFIG_NF_TABLES.

Fix by removing the negation so the check matches nft_mapelem_activate():
skip active elements, process inactive ones.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.19.316 < 4.20
LinuxLinux Kernel Version >= 5.4.262 < 5.5
LinuxLinux Kernel Version >= 5.10.188 < 5.11
LinuxLinux Kernel Version >= 5.15.121 < 5.15.200
LinuxLinux Kernel Version >= 6.1.36 < 6.1.163
LinuxLinux Kernel Version >= 6.3.10 < 6.4
LinuxLinux Kernel Version >= 6.4.1 < 6.6.124
LinuxLinux Kernel Version >= 6.7 < 6.12.70
LinuxLinux Kernel Version >= 6.13 < 6.18.10
LinuxLinux Kernel Version6.4 Update-
LinuxLinux Kernel Version6.19 Updaterc1
LinuxLinux Kernel Version6.19 Updaterc2
LinuxLinux Kernel Version6.19 Updaterc3
LinuxLinux Kernel Version6.19 Updaterc4
LinuxLinux Kernel Version6.19 Updaterc5
LinuxLinux Kernel Version6.19 Updaterc6
LinuxLinux Kernel Version6.19 Updaterc7
LinuxLinux Kernel Version6.19 Updaterc8
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.34% 0.263
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

CWE-672 Operation on a Resource after Expiration or Release

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
15.06.2026 17:02
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
08.06.2026 22:56
https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5
Patch
https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f
Patch
https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d
Patch
https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd
Patch
https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081
Patch
https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8
Patch
https://cert-portal.siemens.com/productcert/html/ssa-253495.html
https://access.redhat.com/errata/RHSA-2026:10108
https://access.redhat.com/errata/RHSA-2026:10996
https://access.redhat.com/errata/RHSA-2026:18134
https://access.redhat.com/errata/RHSA-2026:6570
https://access.redhat.com/errata/RHSA-2026:9112
https://access.redhat.com/security/cve/CVE-2026-23111
https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/
https://bugzilla.redhat.com/show_bug.cgi?id=2439687
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23111.json