Linux kernel nf_tables use-after-free in nft_map_catchall_activate
CVE-2026-23111 is a local use-after-free vulnerability in the Linux kernel nf_tables subsystem. The root cause is an inverted activity/genmask check in nft_map_catchall_activate(), the abort-path callback used to reactivate catchall map elements after a failed nftables transaction. Due to the incorrect negation, the function skips inactive catchall elements that should be restored and instead processes already-active ones. As a result, when a DELSET operation is aborted, nft_setelem_data_activate() is not invoked for the catchall element. For NFT_GOTO verdict elements, nft_data_hold() is therefore not called to restore the referenced chain's use count. Repeated abort cycles can permanently decrement chain->use until it reaches zero, after which DELCHAIN can free the chain while catchall verdict elements still retain references to it, creating a dangling pointer and use-after-free condition. Public reporting indicates this can be exploited by an unprivileged local user to obtain root privileges and escape container or namespace isolation on systems exposing the relevant kernel attack surface.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Linux kernel local privilege escalation and container escape vulnerability in nf_tables caused by a use-after-free / inverted check, allowing an unprivileged local user to gain root.
A Linux kernel nftables subsystem use-after-free vulnerability that allows unprivileged local attackers to escalate privileges to root, with reliable exploitability demonstrated on affected Debian and Ubuntu distributions.
Unknown
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.