Back

Linux Kernel CVE-2026-23111 Enables Local Privilege Escalation via nftables

Severity: High (Score: 74.0)

Sources: Securityaffairs.Co, Cybersecuritynews, Blog.Exodusintel, Gbhackers

Published: 2026-06-08 · Updated: 2026-06-09

Keywords: vulnerability, linux, kernel, attackers, escalate, privileges, root

Severity indicators: vulnerability, ot

Summary

A use-after-free vulnerability in the Linux kernel's nftables subsystem, tracked as CVE-2026-23111, allows local attackers to escalate privileges to root. Discovered in early 2025, the flaw was patched on February 5, 2026. It affects widely used distributions including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. The vulnerability is exploited by leveraging a logic error in the code, which has been demonstrated in a proof of concept released on June 9, 2026. Security researchers from Exodus Intelligence conducted a detailed analysis and exploitation of this vulnerability. The flaw poses a significant risk to systems running affected Linux distributions, especially in environments where local access is possible. Key Points: • CVE-2026-23111 allows local privilege escalation to root via a use-after-free flaw. • The vulnerability affects major Linux distributions, including Debian and Ubuntu. • A proof of concept for exploiting the vulnerability was released on June 9, 2026.

Detailed Analysis

**Impact** The vulnerability affects widely deployed Linux distributions including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. Local attackers can exploit this flaw to escalate privileges to root, potentially compromising entire systems. Sectors relying on Linux-based infrastructure for packet filtering, NAT, and firewall management are at risk globally. The scope includes any environment using the nftables subsystem, impacting operational security and control over network traffic. **Technical Details** CVE-2026-23111 is a use-after-free vulnerability in the Linux kernel’s nftables subsystem, part of the netfilter framework. The flaw results from a logic error involving a missing “!” character, enabling local attackers to execute a local privilege escalation attack. The vulnerability was discovered in early 2025 and patched upstream on February 5, 2026. Exploitation involves chaining the use-after-free bug to gain root privileges; no specific malware or external infrastructure details are provided. **Recommended Response** Apply the upstream Linux kernel patch released on February 5, 2026, that addresses CVE-2026-23111. Monitor for unusual local privilege escalation attempts and review nftables-related system logs for anomalies. Harden system configurations by limiting local user access where possible. In the absence of specific IOCs, focus on patch management and behavioral detection of privilege escalation activities.

Source articles (4)

  • Off By !: Exploiting a Use-after — Blog.Exodusintel · 2026-06-08
    By Oliver Sieber Overview In this blog post, we a use-after-free vulnerability that we found in the nftables subsystem of the Linux kernel in early 2025. This vulnerability was patched upstream on 5 F…
  • New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root — Cybersecuritynews · 2026-06-08
    A use-after-free vulnerability in the Linux kernel’s nftables subsystem has been disclosed, enabling unprivileged local attackers to escalate privileges to root on widely deployed distributions includ…
  • CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits — Securityaffairs.Co · 2026-06-09
    A Linux kernel nf_tables bug lets local users gain root via use-after-free caused by a logic error; patch removes a single “!”. CVE-2026-23111 lives in nf_tables, the Linux kernel’s packet filtering f…
  • Linux Kernel Flaw Allows Local Attackers to Gain Root Privileges — Gbhackers · 2026-06-09
    A newly disclosed Linux kernel vulnerability tracked as CVE-2026-23111 allows local attackers to escalate privileges to root by exploiting a use-after-free flaw in the nftables subsystem. The vulnerab…

Timeline

  • 2025-01-01 — Vulnerability discovered: A use-after-free vulnerability in the nftables subsystem was identified by Exodus Intelligence.
  • 2026-02-05 — Patch released: The vulnerability CVE-2026-23111 was patched upstream in the Linux kernel.
  • 2026-02-13 — CVE-2026-23111 published: CVE-2026-23111 was officially published, detailing the use-after-free vulnerability.
  • 2026-06-09 — Proof of Concept released: A proof of concept demonstrating the exploitation of CVE-2026-23111 was made public.

CVEs

  • CVE-2026-23111

Related entities

  • Privilege Escalation (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Cwe-416 - Use After Free (Cwe)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • Linux (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed