Xcitium Logo

One-Character Linux Kernel Bug (CVE-2026-23111) Enables Local Root Access

A critical use-after-free bug in the Linux kernel’s nf_tables subsystem (CVE-2026-23111) lets an unprivileged user gain root. Learn how this one-character logic error works, who is affected, and what fixes are out.

Find Kernel Risk Before Root Access
  • June 11, 2026

A Stray “!”: The Tiny Typo That Opened a Huge Hole in Linux Security

CVE-2026-23111 is a use-after-free vulnerability found in nftables packet-filtering component of Linux kernel in early 2026. A simple change of one character caused a critical error, the kernel started skipping reactivation of certain “catchall” objects because of an erroneous condition that was used.

An attacker exploits this vulnerability by repeatedly setting the chain’s reference counter to zero and deleting the chain from memory even though it was being used at the time. The exploit uses a use-after-free vulnerability that makes possible to run any program in kernel mode, get root privileges, and break out of the container. All because of a small typo that included just one “!

Nf_tables is a component that organizes all rules in tables, chains, and individual rules. Nftables process changes in a special “abort” phase in case something went wrong. The faulty logic of nf_tables causes failed deletions of catchall set elements not to update a chain’s reference counter. Specifically, nft_map_catchall_activate() uses if (!active) continue statement instead of skipping active elements.

Deleting ! resolves the issue, causing inactive elements to be reactivated again. Simply put, there needs to be only one-character fix. During abort phase the chain’s reference counter can be set to zero and the chain deleted despite of its usage due to missing call of nft_setelem_data_activate().

CVE-2026-23111 – nftables Use-After-Free
CVE-2026-23111
A Stray “!”
Linux Kernel UAF
A single-character typo in nftables caused a use-after-free in the Linux kernel enabling unprivileged local attackers to gain root and break out of containers.
CVSS SCORE
7.8
HIGH
The One-Character Bug
In nft_map_catchall_activate(), a faulty if (!active) continue condition skips reactivation of catchall objects during the abort phase. Removing the stray ! restores correct behavior failed deletions no longer leave chain reference counters at zero while chains remain in use.
Exploit Mechanics
An unprivileged attacker uses user namespaces and nftables netlink messages to remove a pipapo set with a catchall rule, abort the transaction, and manipulate the generation mask triggering a use-after-free, kernel pointer leak, and ROP chain for root shell access.
Affected Systems
Ubuntu: 22.04, 24.04, 25.10
Debian: Bookworm, Trixie (backported to Bullseye LTS)
Also: Red Hat, SUSE, Amazon Linux and others with CONFIG_NF_TABLES + CONFIG_USER_NS enabled.
Mitigation
Install the latest patched kernel and reboot. Major distributions have released fixes. With a public PoC available, unpatched systems running user namespaces and nftables should be updated immediately.
SECURITY NOTE: No network-based exploit is possible an attacker must already have local host access (low-privilege shell, compromised container, or service account). User namespaces and nftables are enabled by default on most major Linux distributions.
© 2026 XCITIUM INC. ALL RIGHTS RESERVED.

How The Exploit Works

Root can be obtained through a use-after-free in the kernel when there is an attack from an unprivileged user namespace with local access. The attacker uses user namespaces with nftables, sends netlink messages, removes a “pipapo” set with a catchall rule, aborts the transaction, and deactivates the catchall rule.

With further manipulation of the generation mask, the attacker deletes the catchall rule once more, however, this catchall rule then becomes active in the following generation and is improperly freed, leading to memory corruption. This leads to kernel pointer leakage and exploitation using ROP through netlink messages, ultimately allowing root shell access.

In practicality, the attack would allow any local attacker with a foothold to gain full root either in a low privilege shell, a compromised container, or even just an account in a service. As user namespaces and nftables are widely enabled by default on Ubuntu, Debian, Red Hat, SUSE, and Amazon Linux operating systems, many vulnerable machines exist.

No network-based exploit is possible, an attacker must first gain host-level access before exploiting this vulnerability through nftables.

Affected Versions And Patches

Several major Linux distributions have patched their kernels accordingly Ubuntu 22.04, 24.04, 25.10; Debian Bookworm and Trixie (and backported to Bullseye LTS), RedHat, SUSE, Amazon Linux and others. Acccording to Ubuntu CVSS 7.8 (High).

Updating your system with a single-character patch involves installing the latest kernel version and restarting the computer. All those Linux users who use unpatched versions of Linux with CONFIG_NF_TABLES and CONFIG_USER_NS configuration options must update their systems, as PoC is released and an attacker will be able to leverage that vulnerability.

In conclusion, we need to note that this bug in nftables led to serious security vulnerabilities. As you can see from this example, Linux kernels need regular updates, especially when working with such potentially dangerous capabilities as user namespaces.

Conclusion: When One Character Becomes Root Access

CVE-2026-23111 shows how small kernel logic errors can create major security consequences. A single misplaced “!” in the Linux nf_tables subsystem created a use-after-free path that lets a local unprivileged user manipulate kernel memory, leak pointers, build a ROP chain, and gain root access.

This is not a remote exploit. It is a post-foothold escalation risk. Once an attacker has a low-privilege shell, compromised container, or service account, the endpoint can become fully controlled if the kernel remains exposed.

Why This Threat Matters

This vulnerability is dangerous because it turns ordinary local access into root-level control.

  • User namespaces and nftables are enabled across many Linux environments
  • A low-privilege account can become a root shell
  • Compromised containers can become escape paths
  • Public exploit details increase pressure on unpatched systems
  • One missed kernel update can expose entire server fleets

For cloud workloads, developer systems, and Linux servers, local privilege escalation is often the bridge between initial access and full operational impact.

Where Xcitium Changes the Outcome

For organizations using Xcitium Vulnerability Assessment, this exposure becomes visible before attackers can turn it into root access.

  • Vulnerable Linux kernels are identified for urgent remediation
  • Systems with exposed nftables and user namespace configurations are prioritized
  • Patch gaps across Ubuntu, Debian, Red Hat, SUSE, Amazon Linux, and other distributions can be tracked
  • Security teams gain evidence of which assets require immediate kernel updates and reboot validation

And for attack chains that depend on unknown tools, scripts, or payloads before escalation, Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, applies Execution Governance.

Unknown execution does not receive unrestricted rights.
Code can run without being able to cause damage.
Runtime control is enforced before trust exists.
Proof of control follows enforcement.

Patch the Kernel. Govern the Execution Path.

CVE-2026-23111 proves that local bugs are never “local only” risks. Once attackers gain any foothold, privilege escalation can turn limited access into full control.

Detection explains what happened.
Governance proves what could not happen.

Identify vulnerable Linux systems.
Patch and reboot immediately.
Govern unknown execution before trust.

Choose Xcitium Vulnerability Assessment and Xcitium Advanced EDR.

Like what you see? Share with a friend.

Related Resources
Critical Zero-Day RCE in On-Premises SharePoint Servers
Critical Zero-Day RCE in On-Premises SharePoint Servers

Critical SharePoint Server Zero-Day Vulnerability A severe deserialization flaw was found in Microsoft SharePoint Server (on-premises editions). This bug lets...

New Secure Boot Vulnerability: CVE‑2025‑3052
New Secure Boot Vulnerability: CVE‑2025‑3052

Secure Boot is a critical defense layer designed to protect modern PCs and servers from malware by ensuring only trusted...

PluggyApe Malware Targets Ukraine’s Army in Charity-Themed Campaign
PluggyApe Malware Targets Ukraine’s Army in Charity-Themed Campaign

Ukraine’s army officials were targeted by a fake charity scam delivering the PluggyApe backdoor. Learn how attackers used WhatsApp and...

YellowKey: Uncovering the Windows BitLocker Vulnerability
YellowKey: Uncovering the Windows BitLocker Vulnerability

YellowKey is a recently discovered zero-day exploit for Windows 11 that can circumvent BitLocker encryption. This means that anyone who...

Move Away From Detection With Patented Threat Prevention Built For Today's Challenges.

No one can stop zero-day malware from entering your network, but Xcitium can prevent if from causing any damage. Zero infection. Zero damage.

Book a Demo