Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 4.19.316, < 4.20 |
Related Weaknesses (CWE)
References
- https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862ddPatch
- https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473dPatch
- https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081Patch
- https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5Patch
- https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7fPatch
- https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8Patch
FAQ
What is CVE-2026-23111?
CVE-2026-23111 is a vulnerability with a CVSS score of 7.8 (HIGH). In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted elemen...
How severe is CVE-2026-23111?
CVE-2026-23111 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-23111?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel.