{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23111", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.968Z", "datePublished": "2026-02-13T13:29:55.895Z", "dateUpdated": "2026-05-11T22:00:20.142Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:00:20.142Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()\n\nnft_map_catchall_activate() has an inverted element activity check\ncompared to its non-catchall counterpart nft_mapelem_activate() and\ncompared to what is logically required.\n\nnft_map_catchall_activate() is called from the abort path to re-activate\ncatchall map elements that were deactivated during a failed transaction.\nIt should skip elements that are already active (they don't need\nre-activation) and process elements that are inactive (they need to be\nrestored). Instead, the current code does the opposite: it skips inactive\nelements and processes active ones.\n\nCompare the non-catchall activate callback, which is correct:\n\n nft_mapelem_activate():\n if (nft_set_elem_active(ext, iter->genmask))\n return 0; /* skip active, process inactive */\n\nWith the buggy catchall version:\n\n nft_map_catchall_activate():\n if (!nft_set_elem_active(ext, genmask))\n continue; /* skip inactive, process active */\n\nThe consequence is that when a DELSET operation is aborted,\nnft_setelem_data_activate() is never called for the catchall element.\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never\ncalled to restore the chain->use reference count. Each abort cycle\npermanently decrements chain->use. Once chain->use reaches zero,\nDELCHAIN succeeds and frees the chain while catchall verdict elements\nstill reference it, resulting in a use-after-free.\n\nThis is exploitable for local privilege escalation from an unprivileged\nuser via user namespaces + nftables on distributions that enable\nCONFIG_USER_NS and CONFIG_NF_TABLES.\n\nFix by removing the negation so the check matches nft_mapelem_activate():\nskip active elements, process inactive ones."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_tables_api.c"], "versions": [{"version": "25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8", "lessThan": "8c760ba4e36c750379d13569f23f5a6e185333f5", "status": "affected", "versionType": "git"}, {"version": "d60be2da67d172aecf866302c91ea11533eca4d9", "lessThan": "b9b6573421de51829f7ec1cce76d85f5f6fbbd7f", "status": "affected", "versionType": "git"}, {"version": "628bd3e49cba1c066228e23d71a852c23e26da73", "lessThan": "42c574c1504aa089a0a142e4c13859327570473d", "status": "affected", "versionType": "git"}, {"version": "628bd3e49cba1c066228e23d71a852c23e26da73", "lessThan": "1444ff890b4653add12f734ffeffc173d42862dd", "status": "affected", "versionType": "git"}, {"version": "628bd3e49cba1c066228e23d71a852c23e26da73", "lessThan": "8b68a45f9722f2babe9e7bad00aa74638addf081", "status": "affected", "versionType": "git"}, {"version": "628bd3e49cba1c066228e23d71a852c23e26da73", "lessThan": "f41c5d151078c5348271ffaf8e7410d96f2d82f8", "status": "affected", "versionType": "git"}, {"version": "bc9f791d2593f17e39f87c6e2b3a36549a3705b1", "status": "affected", "versionType": "git"}, {"version": "3c7ec098e3b588434a8b07ea9b5b36f04cef1f50", "status": "affected", "versionType": "git"}, {"version": "a136b7942ad2a50de708f76ea299ccb45ac7a7f9", "status": "affected", "versionType": "git"}, {"version": "dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_tables_api.c"], "versions": [{"version": "6.4", "status": "affected"}, {"version": "0", "lessThan": "6.4", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.200", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.163", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.124", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.70", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.121", "versionEndExcluding": "5.15.200"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.36", "versionEndExcluding": "6.1.163"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.6.124"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.12.70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.316"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.262"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.188"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3.10"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5"}, {"url": "https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f"}, {"url": "https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d"}, {"url": "https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd"}, {"url": "https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081"}, {"url": "https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8"}], "title": "netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "76EC9BF9-9775-4D90-B594-4C2AB71E1F86", "versionEndExcluding": "4.20", "versionStartIncluding": "4.19.316", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5CE7F771-8144-4AEC-B6E3-5F4830BD8EB7", "versionEndExcluding": "5.5", "versionStartIncluding": "5.4.262", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D42E8C7-CD33-432A-AC09-DC524C88ECE4", "versionEndExcluding": "5.11", "versionStartIncluding": "5.10.188", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EA37A2D-57E0-4A43-A252-503102E540FF", "versionEndExcluding": "5.15.200", "versionStartIncluding": "5.15.121", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D546C31-A384-495B-8C0A-A791FD646888", "versionEndExcluding": "6.1.163", "versionStartIncluding": "6.1.36", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "3E002324-2B5E-4373-A29E-1D5D0FC97F6F", "versionEndExcluding": "6.4", "versionStartIncluding": "6.3.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "08EA1902-1FF1-4739-8B3E-5340B3E41010", "versionEndExcluding": "6.6.124", "versionStartIncluding": "6.4.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3791390-0628-4808-99EF-1ED8ABF60933", "versionEndExcluding": "6.12.70", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7156C23F-009E-4D05-838C-A2DA417B5B8D", "versionEndExcluding": "6.18.10", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.4:-:*:*:*:*:*:*", "matchCriteriaId": "DE0B0BF6-0EEF-4FAD-927D-7A0DD77BEE75", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()\n\nnft_map_catchall_activate() has an inverted element activity check\ncompared to its non-catchall counterpart nft_mapelem_activate() and\ncompared to what is logically required.\n\nnft_map_catchall_activate() is called from the abort path to re-activate\ncatchall map elements that were deactivated during a failed transaction.\nIt should skip elements that are already active (they don't need\nre-activation) and process elements that are inactive (they need to be\nrestored). Instead, the current code does the opposite: it skips inactive\nelements and processes active ones.\n\nCompare the non-catchall activate callback, which is correct:\n\n nft_mapelem_activate():\n if (nft_set_elem_active(ext, iter->genmask))\n return 0; /* skip active, process inactive */\n\nWith the buggy catchall version:\n\n nft_map_catchall_activate():\n if (!nft_set_elem_active(ext, genmask))\n continue; /* skip inactive, process active */\n\nThe consequence is that when a DELSET operation is aborted,\nnft_setelem_data_activate() is never called for the catchall element.\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never\ncalled to restore the chain->use reference count. Each abort cycle\npermanently decrements chain->use. Once chain->use reaches zero,\nDELCHAIN succeeds and frees the chain while catchall verdict elements\nstill reference it, resulting in a use-after-free.\n\nThis is exploitable for local privilege escalation from an unprivileged\nuser via user namespaces + nftables on distributions that enable\nCONFIG_USER_NS and CONFIG_NF_TABLES.\n\nFix by removing the negation so the check matches nft_mapelem_activate():\nskip active elements, process inactive ones."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnetfilter: nf_tables: correcci\u00f3n de la comprobaci\u00f3n genmask invertida en nft_map_catchall_activate()\n\nnft_map_catchall_activate() tiene una comprobaci\u00f3n de actividad de elemento invertida en comparaci\u00f3n con su contraparte no-catchall nft_mapelem_activate() y en comparaci\u00f3n con lo que se requiere l\u00f3gicamente.\n\nnft_map_catchall_activate() es llamada desde la ruta de aborto para reactivar elementos de mapa catchall que fueron desactivados durante una transacci\u00f3n fallida. Deber\u00eda omitir los elementos que ya est\u00e1n activos (no necesitan reactivaci\u00f3n) y procesar los elementos que est\u00e1n inactivos (necesitan ser restaurados). En cambio, el c\u00f3digo actual hace lo contrario: omite los elementos inactivos y procesa los activos.\n\nCompare la devoluci\u00f3n de llamada de activaci\u00f3n no-catchall, que es correcta:\n\n nft_mapelem_activate():\n if (nft_set_elem_active(ext, iter->genmask))\n return 0; /* omitir activos, procesar inactivos */\n\nCon la versi\u00f3n catchall con errores:\n\n nft_map_catchall_activate():\n if (!nft_set_elem_active(ext, genmask))\n continue; /* omitir inactivos, procesar activos */\n\nLa consecuencia es que cuando una operaci\u00f3n DELSET es abortada, nft_setelem_data_activate() nunca es llamada para el elemento catchall. Para los elementos de veredicto NFT_GOTO, esto significa que nft_data_hold() nunca es llamada para restaurar el contador de referencias chain->use. Cada ciclo de aborto decrementa permanentemente chain->use. Una vez que chain->use llega a cero, DELCHAIN tiene \u00e9xito y libera la cadena mientras que los elementos de veredicto catchall a\u00fan la referencian, resultando en un uso despu\u00e9s de liberaci\u00f3n.\n\nEsto es explotable para escalada de privilegios local desde un usuario sin privilegios a trav\u00e9s de espacios de nombres de usuario + nftables en distribuciones que habilitan CONFIG_USER_NS y CONFIG_NF_TABLES.\n\nCorrecci\u00f3n eliminando la negaci\u00f3n para que la comprobaci\u00f3n coincida con nft_mapelem_activate(): omitir elementos activos, procesar inactivos."}], "id": "CVE-2026-23111", "lastModified": "2026-04-03T14:16:23.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-13T14:16:10.283", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: Kernel: Privilege escalation or denial of service in nf_tables via inverted element activity check", "id": "2439687", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439687"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-672", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent module nf_tables from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."}, "name": "CVE-2026-23111", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23111\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23111\nhttps://lore.kernel.org/linux-cve-announce/2026021300-CVE-2026-23111-9762@gregkh/T"], "statement": "A logic bug in nf_tables nft_map_catchall_activate uses an inverted element active check during the abort path of a failed transaction. This can prevent re activation of catchall map elements and for NFT_GOTO verdict elements it can skip restoring the chain use reference count. Repeating an abort sequence can permanently decrement chain use until DELCHAIN frees the chain while catchall elements still reference it which can result in a use after free. For the CVSS the PR is L, but in the paranoid scenario the unprivileged users may reach nf_tables via user namespaces with delegated CAP_NET_ADMIN. The issue is not directly network reachable and is triggered by local nftables control plane operations. Impact can range from denial of service to potential privilege escalation depending on heap reuse.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8,8c760ba4e36c750379d13569f23f5a6e185333f5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d60be2da67d172aecf866302c91ea11533eca4d9,b9b6573421de51829f7ec1cce76d85f5f6fbbd7f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[628bd3e49cba1c066228e23d71a852c23e26da73,42c574c1504aa089a0a142e4c13859327570473d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[628bd3e49cba1c066228e23d71a852c23e26da73,1444ff890b4653add12f734ffeffc173d42862dd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[628bd3e49cba1c066228e23d71a852c23e26da73,8b68a45f9722f2babe9e7bad00aa74638addf081)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[628bd3e49cba1c066228e23d71a852c23e26da73,f41c5d151078c5348271ffaf8e7410d96f2d82f8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "bc9f791d2593f17e39f87c6e2b3a36549a3705b1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "3c7ec098e3b588434a8b07ea9b5b36f04cef1f50"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "a136b7942ad2a50de708f76ea299ccb45ac7a7f9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.15.200,5.15.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.163,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.124,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.70,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.10,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-15T20:44:04.216154+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version where the nf_tables inversion bug has been fixed (e.g., apply the kernel patch identified by commit 1444ff890b4653add12f734ffeffc173d42862dd or any subsequent release incorporating this change).", "If a kernel upgrade is not immediately feasible, reconfigure the kernel to disable CONFIG_USER_NS or CONFIG_NF_TABLES, thereby removing the attack surface that relies on user namespaces and nftables.", "After applying the fix or disabling the vulnerable components, verify that nftables operations no longer invoke the buggy path by monitoring kernel logs for nf_tables errors and testing common nftables commands in a controlled environment."], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include versions 6.19 rc1 through rc8 and kernel 6.4, when built with the CONFIG_USER_NS and CONFIG_NF_TABLES options enabled. The bug is present in every Linux kernel that contains the nf_tables module without the subsequently applied patch.", "description_and_impact": "The vulnerability resides in the nf_tables module of the Linux kernel. An incorrect activity check in nft_map_catchall_activate() causes the function to process already active map elements while skipping those that are inactive. This logic flaw prevents the restoration of reference counts for chain objects when a DELETE set (DELSET) operation is aborted, leading to a use\u2011after\u2011free condition on the nf_tables chain structure. An attacker can trigger the crash by performing an aborted DELSET via user namespaces and nftables, and the resulting use\u2011after\u2011free can be leveraged for local privilege escalation.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at any given time. The vulnerability is not listed in CISA\u2019s KEV catalog, implying no known widespread exploitation. The attack requires local access to a system that allows creation of user namespaces and use of nftables, making it a local privilege escalation vector rather than a remote one. Once exploited, the use\u2011after\u2011free can lead to arbitrary code execution or system compromise by the attacker. The fix removes the incorrect negation in the activity check, restoring correct reference counting and eliminating the use\u2011after\u2011free."}}}}, "created": "2026-02-13T21:28:38.681188+00:00", "updated": "2026-04-15T20:45:06.391898+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}