Critical Linux Kernel Vulnerability (CVE-2026-23111) Enables Local Privilege Escalation
A use-after-free vulnerability in the Linux kernel’s nftables subsystem has been disclosed, allowing unprivileged local attackers to escalate privileges to root on widely used distributions, including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS.
Tracked as CVE-2026-23111, the flaw was discovered in early 2025 and patched upstream on February 5, 2026, via a kernel commit. The bug resides in the nft_map_catchall_activate() function within nftables, a packet filtering framework built on Linux’s Netfilter hooks.
Testing in a controlled lab environment revealed that Rocky Linux exhibited lower vulnerability exposure post-update compared to Ubuntu and Red Hat systems. However, kernel backports and system configurations influence risk, meaning version numbers alone may not fully indicate exposure. The vulnerability appears to affect Linux kernels 5.15 and later, while default kernels in AlmaLinux and Rocky Linux (5.14) remain unaffected.
The flaw underscores the ongoing risks of privilege escalation in Linux environments, particularly in systems relying on nftables for network filtering.
Source: https://www.linkedin.com/feed/update/urn:li:activity:7469793818335150081
TuxCare cybersecurity rating report: https://www.rankiteo.com/company/tuxcare
Canonical cybersecurity rating report: https://www.rankiteo.com/company/canonical
Debian cybersecurity rating report: https://www.rankiteo.com/company/debian
Rocky Linux cybersecurity rating report: https://www.rankiteo.com/company/rockylinux
"id": "TUXCANDEBROC1780943498",
"linkid": "tuxcare, canonical, debian, rockylinux",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Technology',
'name': 'Debian',
'type': 'Operating System'},
{'industry': 'Technology',
'name': 'Ubuntu',
'type': 'Operating System'},
{'industry': 'Technology',
'name': 'Rocky Linux',
'type': 'Operating System'},
{'industry': 'Technology',
'name': 'AlmaLinux',
'type': 'Operating System'},
{'industry': 'Technology',
'name': 'Red Hat',
'type': 'Operating System'}],
'attack_vector': 'Local',
'date_detected': '2025',
'date_publicly_disclosed': '2026-02-05',
'date_resolved': '2026-02-05',
'description': 'A use-after-free vulnerability in the Linux kernel’s nftables '
'subsystem has been disclosed, allowing unprivileged local '
'attackers to escalate privileges to root on widely used '
'distributions, including Debian Bookworm, Debian Trixie, '
'Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. Tracked as '
'CVE-2026-23111, the flaw was discovered in early 2025 and '
'patched upstream on February 5, 2026. The bug resides in the '
'nft_map_catchall_activate() function within nftables, a '
'packet filtering framework built on Linux’s Netfilter hooks.',
'impact': {'systems_affected': 'Privilege escalation to root'},
'investigation_status': 'Resolved',
'lessons_learned': 'The vulnerability underscores the ongoing risks of '
'privilege escalation in Linux environments, particularly '
'in systems relying on nftables for network filtering.',
'post_incident_analysis': {'corrective_actions': 'Kernel patch applied to fix '
'the use-after-free flaw',
'root_causes': 'Use-after-free vulnerability in '
'the nft_map_catchall_activate() '
'function within nftables'},
'recommendations': 'Update to the latest patched kernel version to mitigate '
'the risk of privilege escalation.',
'references': [{'source': 'Linux Kernel Commit'}],
'response': {'containment_measures': 'Kernel patch applied upstream',
'remediation_measures': 'Update to patched kernel version'},
'title': 'Critical Linux Kernel Vulnerability (CVE-2026-23111) Enables Local '
'Privilege Escalation',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-23111 (Use-after-free in nftables '
'subsystem)'}