CVE-2026-23111

{"id": "CVE-2026-23111", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-02-13T14:16:10.283", "references": [{"url": "https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()\n\nnft_map_catchall_activate() has an inverted element activity check\ncompared to its non-catchall counterpart nft_mapelem_activate() and\ncompared to what is logically required.\n\nnft_map_catchall_activate() is called from the abort path to re-activate\ncatchall map elements that were deactivated during a failed transaction.\nIt should skip elements that are already active (they don't need\nre-activation) and process elements that are inactive (they need to be\nrestored). Instead, the current code does the opposite: it skips inactive\nelements and processes active ones.\n\nCompare the non-catchall activate callback, which is correct:\n\n nft_mapelem_activate():\n if (nft_set_elem_active(ext, iter->genmask))\n return 0; /* skip active, process inactive */\n\nWith the buggy catchall version:\n\n nft_map_catchall_activate():\n if (!nft_set_elem_active(ext, genmask))\n continue; /* skip inactive, process active */\n\nThe consequence is that when a DELSET operation is aborted,\nnft_setelem_data_activate() is never called for the catchall element.\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never\ncalled to restore the chain->use reference count. Each abort cycle\npermanently decrements chain->use. Once chain->use reaches zero,\nDELCHAIN succeeds and frees the chain while catchall verdict elements\nstill reference it, resulting in a use-after-free.\n\nThis is exploitable for local privilege escalation from an unprivileged\nuser via user namespaces + nftables on distributions that enable\nCONFIG_USER_NS and CONFIG_NF_TABLES.\n\nFix by removing the negation so the check matches nft_mapelem_activate():\nskip active elements, process inactive ones."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnetfilter: nf_tables: correcci\u00f3n de la comprobaci\u00f3n genmask invertida en nft_map_catchall_activate()\n\nnft_map_catchall_activate() tiene una comprobaci\u00f3n de actividad de elemento invertida en comparaci\u00f3n con su contraparte no-catchall nft_mapelem_activate() y en comparaci\u00f3n con lo que se requiere l\u00f3gicamente.\n\nnft_map_catchall_activate() es llamada desde la ruta de aborto para reactivar elementos de mapa catchall que fueron desactivados durante una transacci\u00f3n fallida. Deber\u00eda omitir los elementos que ya est\u00e1n activos (no necesitan reactivaci\u00f3n) y procesar los elementos que est\u00e1n inactivos (necesitan ser restaurados). En cambio, el c\u00f3digo actual hace lo contrario: omite los elementos inactivos y procesa los activos.\n\nCompare la devoluci\u00f3n de llamada de activaci\u00f3n no-catchall, que es correcta:\n\n nft_mapelem_activate():\n if (nft_set_elem_active(ext, iter->genmask))\n return 0; /* omitir activos, procesar inactivos */\n\nCon la versi\u00f3n catchall con errores:\n\n nft_map_catchall_activate():\n if (!nft_set_elem_active(ext, genmask))\n continue; /* omitir inactivos, procesar activos */\n\nLa consecuencia es que cuando una operaci\u00f3n DELSET es abortada, nft_setelem_data_activate() nunca es llamada para el elemento catchall. Para los elementos de veredicto NFT_GOTO, esto significa que nft_data_hold() nunca es llamada para restaurar el contador de referencias chain->use. Cada ciclo de aborto decrementa permanentemente chain->use. Una vez que chain->use llega a cero, DELCHAIN tiene \u00e9xito y libera la cadena mientras que los elementos de veredicto catchall a\u00fan la referencian, resultando en un uso despu\u00e9s de liberaci\u00f3n.\n\nEsto es explotable para escalada de privilegios local desde un usuario sin privilegios a trav\u00e9s de espacios de nombres de usuario + nftables en distribuciones que habilitan CONFIG_USER_NS y CONFIG_NF_TABLES.\n\nCorrecci\u00f3n eliminando la negaci\u00f3n para que la comprobaci\u00f3n coincida con nft_mapelem_activate(): omitir elementos activos, procesar inactivos."}], "lastModified": "2026-03-18T13:43:28.657", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "76EC9BF9-9775-4D90-B594-4C2AB71E1F86", "versionEndExcluding": "4.20", "versionStartIncluding": "4.19.316"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5CE7F771-8144-4AEC-B6E3-5F4830BD8EB7", "versionEndExcluding": "5.5", "versionStartIncluding": "5.4.262"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D42E8C7-CD33-432A-AC09-DC524C88ECE4", "versionEndExcluding": "5.11", "versionStartIncluding": "5.10.188"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2EA37A2D-57E0-4A43-A252-503102E540FF", "versionEndExcluding": "5.15.200", "versionStartIncluding": "5.15.121"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D546C31-A384-495B-8C0A-A791FD646888", "versionEndExcluding": "6.1.163", "versionStartIncluding": "6.1.36"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3E002324-2B5E-4373-A29E-1D5D0FC97F6F", "versionEndExcluding": "6.4", "versionStartIncluding": "6.3.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "08EA1902-1FF1-4739-8B3E-5340B3E41010", "versionEndExcluding": "6.6.124", "versionStartIncluding": "6.4.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3791390-0628-4808-99EF-1ED8ABF60933", "versionEndExcluding": "6.12.70", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7156C23F-009E-4D05-838C-A2DA417B5B8D", "versionEndExcluding": "6.18.10", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.4:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE0B0BF6-0EEF-4FAD-927D-7A0DD77BEE75"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}