CVE-2026-23111 in Linux
Summary
by MITRE • 02/13/2026
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required.
nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones.
Compare the non-catchall activate callback, which is correct:
nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */
With the buggy catchall version:
nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */
The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free.
This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES.
Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/02/2026
The vulnerability described in CVE-2026-23111 resides within the Linux kernel's netfilter subsystem, specifically in the nftables implementation that manages network filtering rules. This issue manifests as an inverted genmask check within the nft_map_catchall_activate() function, which fundamentally alters the logical flow of element activation during transaction abort scenarios. The flaw creates a critical inconsistency between how catchall map elements are handled versus regular map elements, leading to improper state management during failed operations.
The technical root cause stems from a logical error in the conditional evaluation within nft_map_catchall_activate() where the negation operator inverts the intended behavior compared to its counterpart function nft_mapelem_activate(). While the correct function properly skips active elements and processes inactive ones, the buggy implementation does the exact opposite by skipping inactive elements and processing active ones during the abort path of operations. This inversion occurs specifically when the system attempts to reactivate catchall map elements that were previously deactivated during failed transactions, creating a cascade of improper state transitions.
The operational impact of this vulnerability extends beyond simple logical errors to create a dangerous use-after-free condition that can be exploited for local privilege escalation. When a DELSET operation is aborted, the nft_setelem_data_activate() function fails to be called for catchall elements due to the inverted logic, which prevents proper restoration of chain reference counts. This leads to a gradual decrement of the chain->use counter, eventually causing the chain to be freed while catchall verdict elements still maintain references to it. The consequence is a memory management race condition that can be leveraged to execute arbitrary code with elevated privileges.
This vulnerability aligns with CWE-457: Use of Uninitialized Variable and CWE-121: Stack-based Buffer Overflow, while mapping to ATT&CK techniques including T1068: Exploitation for Privilege Escalation and T1548.1: Abuse Elevation Control Mechanism. The exploitability requires specific kernel configuration flags including CONFIG_USER_NS and CONFIG_NF_TABLES, making it particularly relevant in environments where user namespaces are enabled. The attack vector involves an unprivileged user leveraging user namespaces in conjunction with nftables to manipulate the kernel's reference counting mechanisms, ultimately causing a chain to be freed while still referenced by catchall elements. The fix implemented addresses the core issue by removing the erroneous negation operator, aligning the catchall activation logic with the correct behavior established in nft_mapelem_activate().
The remediation strategy focuses on correcting the logical inversion by ensuring that nft_map_catchall_activate() properly skips active elements and processes inactive ones, matching the behavior of its non-catchall counterpart. This simple but critical fix restores the proper state management during transaction aborts, preventing the progressive decrement of chain reference counts that leads to the use-after-free condition. The resolution ensures that catchall elements maintain proper reference counting semantics throughout all transaction states, including failed operations, thereby eliminating the privilege escalation vector that could be exploited by unprivileged users within environments supporting user namespaces and nftables functionality.