Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()

nft_map_catchall_activate() has an inverted element activity check
compared to its non-catchall counterpart nft_mapelem_activate() and
compared to what is logically required.

nft_map_catchall_activate() is called from the abort path to re-activate
catchall map elements that were deactivated during a failed transaction.
It should skip elements that are already active (they don't need
re-activation) and process elements that are inactive (they need to be
restored). Instead, the current code does the opposite: it skips inactive
elements and processes active ones.

Compare the non-catchall activate callback, which is correct:

nft_mapelem_activate():
if (nft_set_elem_active(ext, iter->genmask))
return 0; /* skip active, process inactive */

With the buggy catchall version:

nft_map_catchall_activate():
if (!nft_set_elem_active(ext, genmask))
continue; /* skip inactive, process active */

The consequence is that when a DELSET operation is aborted,
nft_setelem_data_activate() is never called for the catchall element.
For NFT_GOTO verdict elements, this means nft_data_hold() is never
called to restore the chain->use reference count. Each abort cycle
permanently decrements chain->use. Once chain->use reaches zero,
DELCHAIN succeeds and frees the chain while catchall verdict elements
still reference it, resulting in a use-after-free.

This is exploitable for local privilege escalation from an unprivileged
user via user namespaces + nftables on distributions that enable
CONFIG_USER_NS and CONFIG_NF_TABLES.

Fix by removing the negation so the check matches nft_mapelem_activate():
skip active elements, process inactive ones.
Published: 2026-02-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

The vulnerability resides in the nf_tables module of the Linux kernel. An incorrect activity check in nft_map_catchall_activate() causes the function to process already active map elements while skipping those that are inactive. This logic flaw prevents the restoration of reference counts for chain objects when a DELETE set (DELSET) operation is aborted, leading to a use‑after‑free condition on the nf_tables chain structure. An attacker can trigger the crash by performing an aborted DELSET via user namespaces and nftables, and the resulting use‑after‑free can be leveraged for local privilege escalation.

Affected Systems

All Linux kernel releases that include versions 6.19 rc1 through rc8 and kernel 6.4, when built with the CONFIG_USER_NS and CONFIG_NF_TABLES options enabled. The bug is present in every Linux kernel that contains the nf_tables module without the subsequently applied patch.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at any given time. The vulnerability is not listed in CISA’s KEV catalog, implying no known widespread exploitation. The attack requires local access to a system that allows creation of user namespaces and use of nftables, making it a local privilege escalation vector rather than a remote one. Once exploited, the use‑after‑free can lead to arbitrary code execution or system compromise by the attacker. The fix removes the incorrect negation in the activity check, restoring correct reference counting and eliminating the use‑after‑free.

Generated by OpenCVE AI on April 15, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version where the nf_tables inversion bug has been fixed (e.g., apply the kernel patch identified by commit 1444ff890b4653add12f734ffeffc173d42862dd or any subsequent release incorporating this change).
  • If a kernel upgrade is not immediately feasible, reconfigure the kernel to disable CONFIG_USER_NS or CONFIG_NF_TABLES, thereby removing the attack surface that relies on user namespaces and nftables.
  • After applying the fix or disabling the vulnerable components, verify that nftables operations no longer invoke the buggy path by monitoring kernel logs for nf_tables errors and testing common nftables commands in a controlled environment.

Generated by OpenCVE AI on April 15, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4499-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6141-1 linux security update
Debian DSA Debian DSA DSA-6163-1 linux security update
Ubuntu USN Ubuntu USN USN-8148-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8149-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8148-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8148-3 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8148-4 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8152-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8148-5 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8149-2 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8159-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8159-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8159-3 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8162-1 Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8164-1 Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8165-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8148-6 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-2 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-8148-7 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8188-1 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-8203-1 Linux kernel (Oracle) vulnerabilities
History

Wed, 18 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.4:-:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 14 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-672
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 13 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.
Title netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T13:31:59.219Z

Reserved: 2026-01-13T15:37:45.968Z

Link: CVE-2026-23111

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-13T14:16:10.283

Modified: 2026-04-03T14:16:23.820

Link: CVE-2026-23111

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-13T00:00:00Z

Links: CVE-2026-23111 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:45:06Z

Weaknesses