Linux nftables CVE-2026-23111 public LPE exploits

Summary

Public exploit writeups for CVE-2026-23111 now show local privilege escalation from an unprivileged Linux user to root through the kernel nf_tables subsystem when user namespaces and nftables are reachable. Exodus Intelligence published a full technical exploit walkthrough on June 8, 2026, and FuzzingLabs separately reproduced the flaw on Red Hat Enterprise Linux 10 in April 2026.

Tags

• ops
• operations
• vulnerability
• exploitation
• Linux
• nftables
• nf_tables
• container escape
• privilege escalation
• CVE-2026-23111

Why this matters

• This is not a remote entry point by itself; it is a post-compromise escalation primitive for low-privileged shells, compromised containers, CI jobs, developer workstations, and multi-user Linux systems.
• The exposed preconditions are common: distributions may enable both CONFIG_NF_TABLES and unprivileged user namespaces, letting unprivileged users reach kernel packet-filtering code through a private namespace.
• Public writeups now cover Debian, Ubuntu, and Red Hat-family paths, so defenders should treat unpatched systems as having a documented local-root path rather than only a theoretical CVE.

Public reporting

• Exodus Intelligence says the bug is a use-after-free in Linux kernel nftables, patched upstream on February 5, 2026, and assigned CVE-2026-23111. Exodus exploited it for local privilege escalation from an unprivileged user to root on Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS.
• FuzzingLabs describes the flaw as an inverted condition in the abort phase of nf_tables transactions. Their reproduction targets Red Hat Enterprise Linux 10 and notes exploitability through user namespaces plus nftables on distributions with CONFIG_USER_NS and CONFIG_NF_TABLES enabled.
• Ubuntu rates the issue high priority and states that a local unprivileged user can gain root through a use-after-free. Debian tracks fixed and vulnerable package states across supported releases.
• The Hacker News surfaced the June 8 Exodus publication to a wider defender audience and emphasized that the flaw is local-only but useful after a foothold or container compromise.

Defender notes

• Patch kernels from the relevant distribution advisory and reboot; kernel package installation alone does not remove the vulnerable running kernel.
• Prioritize systems that allow untrusted local users, shared build agents, CI runners, container hosts, Kubernetes worker nodes, research sandboxes, and developer workstations.
• Where business impact permits, restrict unprivileged user namespaces and review whether untrusted workloads can access nftables / netfilter capabilities in private namespaces.
• Treat container breakouts as a realistic consequence when vulnerable kernels combine with permissive namespace settings; scope exposed secrets and host-level credentials accordingly.
• Hunt for suspicious local privilege-escalation staging after initial access: namespace creation by unusual service accounts, nftables manipulation from unexpected containers or build jobs, kernel-crash telemetry, and sudden root-owned process trees following low-privileged execution.

Sources

• Exodus Intelligence: https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/
• FuzzingLabs: https://fuzzinglabs.com/repro-cve-2026-23111/
• Ubuntu CVE-2026-23111: https://ubuntu.com/security/CVE-2026-23111
• Debian security tracker CVE-2026-23111: https://security-tracker.debian.org/tracker/CVE-2026-23111
• The Hacker News: https://thehackernews.com/2026/06/one-character-linux-kernel-flaw-enables.html