Linux kernel use-after-free flaws enable local privilege escalation to root
Two Linux kernel use-after-free vulnerabilities were disclosed in packet-filtering components, exposing systems to local privilege escalation. CVE-2026-23111 affects the nftables subsystem and stems from an inverted conditional in nft_map_catchall_activate() that mishandles catchall elements during transaction aborts, leaving a dangling chain reference. A public technical write-up and working exploit showed the bug can achieve root privileges with high reliability on Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS by corrupting chain reference counts, bypassing KASLR, leaking heap addresses, hijacking control flow with a fake nft_expr_ops structure, and executing a ROP chain that calls commit_creds(&init_cred). The exploit also uses switch_task_namespaces() to break out of namespaces and containers.
A separate flaw, CVE-2026-23412, affects the Linux kernel’s BPF netfilter link implementation in nf_bpf_link.c, where synchronous deallocation of bpf_nf_link_lops allowed concurrent nfnetlink hook enumeration to access freed memory during BPF link destruction. Researchers reproduced KASAN slab-use-after-free crashes in nfnl_hook_dump_one on kernel 6.14.0 and said the bug could be exploited through heap spraying and function-pointer hijacking in the kmalloc-192 slab cache. The issue was introduced in 6.4-rc1 and fixed in 7.0-rc5 by commit 24f90fa3994b, which switches to RCU-deferred freeing, while the nftables bug was patched upstream by commit f41c5d1; administrators were urged to deploy patched kernels promptly.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
RHEL 10 confirmed vulnerable to CVE-2026-23111
The new report states that testing confirmed CVE-2026-23111 affects RHEL 10 in addition to previously reported Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS systems. The article also notes Ubuntu and Debian have issued patches while other vendors are tracking the flaw.
FuzzingLabs publishes CVE-2026-23111 exploit reproduction
The reference states that FuzzingLabs published a reproduction of the CVE-2026-23111 exploit in April 2026, making exploit details publicly available before the later June 8 technical walkthrough by Exodus Intelligence. This represents an earlier public technical disclosure related to the flaw.
Public technical write-up and exploit disclosed for CVE-2026-23111
CVE-2026-23111 was publicly disclosed with a technical write-up and working exploit demonstrating root privilege escalation and namespace breakout. The disclosure reported impact on Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS.
CVE-2026-23111 discovered in Linux kernel nftables
Oliver Sieber of Exodus Intelligence discovered a local privilege escalation vulnerability in the Linux kernel nftables subsystem in early 2025. The bug is a use-after-free tied to mishandling of catchall elements during transaction aborts.
Aretiq AI publishes analysis of CVE-2026-23412
Aretiq AI published research describing CVE-2026-23412 as a Linux kernel local privilege escalation vulnerability affecting the BPF netfilter link implementation. The write-up said the issue was reproducible on kernel 6.14.0 and exploitable via heap spraying and function pointer hijacking.
Linux kernel 7.0-rc5 fixes CVE-2026-23412
A use-after-free flaw in the Linux kernel's BPF netfilter link implementation, tracked as CVE-2026-23412, was fixed in kernel 7.0-rc5 by commit 24f90fa3994b. The change deferred freeing with RCU to prevent concurrent hook enumeration from accessing freed memory.
Upstream patch released for CVE-2026-23111
The Linux kernel upstream patched CVE-2026-23111 on 2026-02-05. The fix is identified as commit f41c5d1, and administrators were advised to deploy patched kernels.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits - Security Affairs
securityaffairs.com
Open sourceCVE-2026-23111: One Bad Character Gives Attackers Linux Root | The CyberSec Guru
thecybersecguru.com
Open sourceLinux Systems Exposed as Public Exploits Target One-Character Kernel Flaw - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceOne-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public
thehackernews.com
Open sourceNew Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root - Cyber Security News
cybersecuritynews.com
Open sourceCVE-2026-23412 - Linux Kernel Netfilter BPF Hook Use-After-Free LPE | Aretiq AI
aretiq.ai
Open sourcenetfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() - kernel/git/torvalds/linux.git - Linux kernel source tree
git.kernel.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Linux nftables flaw CVE-2023-31248 enables local root via use-after-free
Researchers detailed exploitation of **CVE-2023-31248** in the Linux kernel's `nftables` subsystem, showing how a chain lookup flaw can let local attackers gain root privileges. The bug exists because `nft_chain_lookup_byid` did not verify whether a chain was still active through `genmask` checks, allowing rules in a batch transaction to reference chains deleted in the same batch. That logic error can trigger a **use-after-free** when rule deletion in the control plane races with asynchronous transaction-worker cleanup, creating a path to reclaim freed memory and corrupt kernel objects. The write-up demonstrates an exploit on **Ubuntu 23.04** with kernel `6.2.0-20-generic`, using heap sprays and information leaks to recover kernel text and heap addresses before forging `nftables` structures and building a ROP chain that invokes `prepare_kernel_cred` and `commit_creds` to obtain a root shell. Researchers said kernels before `6.2.0-26-generic` were vulnerable, while upstream fixes added `genmask` validation to chain-by-ID lookups so inactive chains cannot be referenced. The same research also described a separate dormant-state chain hook deactivation bug that can trigger kernel warnings but was assessed as not practically exploitable and patched by blocking repeated dormant-state toggles within a single batch.
Apr 19, 2026
Linux kernel LPE exploits DirtyDecrypt and PinTheft expose root access paths
Public proof-of-concept exploit code was released for **DirtyDecrypt** (`CVE-2026-31635`), a high-severity Linux kernel local privilege escalation flaw caused by a missing copy-on-write guard in `rxgk_decrypt_skb()` within the RxGK subsystem. The bug allows unprivileged local users to corrupt shared page-cache memory tied to privileged files or processes, potentially overwriting targets such as `/etc/shadow`, `/etc/sudoers`, or SUID binaries to gain **root**. Reports said the issue was quietly patched upstream in late April and primarily affects systems using mainline or rolling-release kernels with `CONFIG_RXGK` enabled, including **Fedora**, **Arch Linux**, and **openSUSE Tumbleweed**; the risk is elevated on Kubernetes worker nodes and developer workstations because exploitation can also enable container escape and theft of secrets or runtime sockets. At the same time, researchers disclosed **PinTheft**, another Linux local privilege escalation exploit that abuses a double-free or refcount bug in the **RDS zerocopy send path** and uses `io_uring` fixed buffers to turn the flaw into a page-cache overwrite against a SUID-root binary. The exploit, credited to Aaron Esau of V12 Security, reportedly drains page references through failed RDS zerocopy sends, frees the page, reclaims it as page cache, and overwrites it with a malicious ELF payload that yields a root shell when executed. Mailing list discussion said a patch and proof of concept are available, with exploitability depending on the `rds` kernel module being present or autoloadable; **Arch Linux** was reported to enable it by default, while Fedora may also be exposed and Debian and Ubuntu appear to have mitigations that restrict autoloading.
May 25, 2026
Linux Kernel Network Stack Flaws Enable Remote and Local Code Execution
Researchers disclosed multiple Linux kernel memory-corruption vulnerabilities affecting network-facing components, including a **remote heap overflow** in the Transparent Inter Process Communication (**TIPC**) module tracked as `CVE-2021-43267`, and a later packet-socket flaw, `CVE-2025-38617`, that was shown to be exploitable through a race condition. The TIPC issue exposed systems running the module to potential **arbitrary code execution in kernel context**, highlighting the risk posed by rarely used but reachable networking features in default or enterprise Linux deployments. Additional advisory coverage from the Zero Day Initiative underscored continued security concerns around Linux kernel bug classes such as heap overflows and race conditions, which can be leveraged for **privilege escalation** or full system compromise depending on exposure and configuration. Together, the reports show that flaws in low-level packet handling and inter-process communication paths remain a high-impact attack surface, especially where vulnerable kernel modules are enabled or accessible to untrusted users or networks.
May 25, 2026