Full Report
Security researchers have published a detailed, working exploit for a Linux kernel use-after-free that lets an unprivileged local user escalate to root and break out of a container. The flaw, CVE-2026-23111, sits in the kernel's nf_tables packet-filtering code and was patched upstream on February 5, 2026. Exodus Intelligence released its full technical walkthrough on June 8, and it is not even
Analysis Summary
# Vulnerability: Linux Kernel nf_tables Use-After-Free Local Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2026-23111
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-416 (Use After Free) / CWE-191 (Integer Underflow or similar "off-by-one" logic error)
## Affected Systems
- **Products:** Linux Kernel
- **Versions:** Systems running kernels released prior to the February 5, 2026 patch. Specific distributions confirmed vulnerable prior to patching include:
- Debian Bookworm and Trixie
- Ubuntu 22.04 LTS and 24.04 LTS
- RHEL 10
- Amazon Linux, SUSE (tracking)
- **Configurations:** Systems where `nf_tables` is enabled and **unprivileged user namespaces** are permitted.
## Vulnerability Description
The flaw exists in the `nf_tables` packet-filtering component of the Linux kernel. It is characterized as a "one-character" flaw involving an inverted check or logic error. This mistake allows a local attacker to trigger a use-after-free (UAF) condition. By manipulating memory through this UAF, an attacker can bypass kernel protections to gain elevated privileges.
## Exploitation
- **Status:** PoC available. Detailed technical walkthroughs and independent reproduction exploits have been published (Exodus Intelligence and FuzzingLabs). No confirmed reports of exploitation in the wild.
- **Complexity:** High (Requires chaining memory corruption with bypasses for kernel mitigations).
- **Attack Vector:** Local (Requires a foothold on the system).
## Impact
- **Confidentiality:** High (Full access to host data as root).
- **Integrity:** High (Ability to modify system files and kernel state).
- **Availability:** High (Potential for system crashes or complete takeover).
## Remediation
### Patches
- **Upstream:** Patched in the mainline kernel on February 5, 2026.
- **Ubuntu:** Fixes available for 22.04, 24.04, and 25.10.
- **Debian:** Fixes available for Bookworm and Trixie; backported to 6.1 for Bullseye LTS.
- **Action:** Update the kernel package via the distribution's package manager and **reboot** the system to apply the changes.
### Workarounds
- **Disable Unprivileged User Namespaces:** Since the exploit relies on unprivileged user namespaces to reach the vulnerable code, restricting this feature can mitigate the risk:
`sysctl -w kernel.unprivileged_userns_clone=0` (Note: This may impact container runtimes or sandboxed applications like Chrome).
## Detection
- **Indicators of Compromise:** Unusual privilege escalation events, unexpected container breakouts, or system instability/kernel oops associated with `nf_tables`.
- **Detection methods and tools:** Monitor audit logs for unauthorized use of `ebpf` or namespace creation by service accounts. Use vulnerability scanners to identify out-of-date kernel versions.
## References
- **Vendor Advisory:** hxxps://git[.]kernel[.]org/pub/scm/linux/kernel/git/torvalds/linux[.]git/commit/?id=f41c5d151078c5348271ffaf8e7410d96f2d82f8
- **Exodus Intelligence Walkthrough:** hxxps://blog[.]exodusintel[.]com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/
- **FuzzingLabs Reproduction:** hxxps://fuzzinglabs[.]com/repro-cve-2026-23111/
- **News Source:** hxxps://thehackernews[.]com/2026/06/one-character-linux-kernel-flaw-enables.html