Skip to content

OSG-SEC-2026-06-09 HIGH-nf_tables bug leads to privilege escalation

Dear OSG Security Contacts,

A Linux kernel local privilege escalation vulnerability (CVE-2026-23111) enables local root access to attackers. Vulnerability was first disclosed in February 2026 and exploits are now public. Security researchers have published a detailed exploit for a Linux kernel use-after-free that lets an unprivileged local user escalate to root and break out of a container.

WHAT ARE THE VULNERABILITIES:

CVE-2026-23111 is a use-after-free vulnerability in the Linux kernel nf_tables packet filtering subsystem.This is caused by a bug in the rollback logic for failed firewall rule transactions. An attacker can repeatedly trigger the faulty rollback path, causing the kernel to incorrectly reduce the reference count of a firewall chain until it is freed while still being referenced by other objects. This creates a use-after-free condition that can lead to kernel memory corruption. The vulnerability is reachable when both: nf_tables support is available unprivileged user namespaces are enabled An attacker with local access may exploit the vulnerability to: Escalate privileges to root Escape from containers Gain control of the host system The vulnerability is local-only and does not provide remote code execution by itself.

IMPACTED VERSIONS:

The vulnerability affects Linux kernels containing the vulnerable nf_tables code path prior to the upstream fix released on February 5, 2026. Affected distributions may include: Debian Ubuntu Red Hat Enterprise Linux SUSE Due to the time delay in the release of this vulnerability and other recent LPE vulnerabilities that have required patching the kernel, it could be that you already have applied the relevant patch. Check the vulnerable versions listed in the referenced links below for more details. If in doubt or you don't see the CVE referenced in the changelog of your running kernel, it's best to install the latest kernel and reboot.

WHAT YOU SHOULD DO:

Apply vendor kernel updates and verify that systems are running patched kernel packages. For enterprise Linux distributions such as RHEL, AlmaLinux, and Rocky Linux, security fixes may be backported without changing the upstream kernel version number. Review whether unprivileged user namespaces are required on your systems. Where operationally feasible, consider restricting or disabling them until patched kernels can be deployed.

REFERENCES

https://access.redhat.com/security/cve/cve-2026-23111 https://ubuntu.com/security/CVE-2026-23111 https://www.suse.com/security/cve/CVE-2026-23111.html https://security-tracker.debian.org/tracker/CVE-2026-23111 https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/ https://nvd.nist.gov/vuln/detail/CVE-2026-23111