netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
Summary
| CVE | CVE-2026-23111 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-02-13 14:16:10 UTC |
| Updated | 2026-04-03 14:16:23 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones. |
Risk And Classification
Primary CVSS: v3.1 7.8 HIGH from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Problem Types: CWE-416
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | Secondary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8 8c760ba4e36c750379d13569f23f5a6e185333f5 git | Not specified |
| CNA | Linux | Linux | affected d60be2da67d172aecf866302c91ea11533eca4d9 b9b6573421de51829f7ec1cce76d85f5f6fbbd7f git | Not specified |
| CNA | Linux | Linux | affected 628bd3e49cba1c066228e23d71a852c23e26da73 42c574c1504aa089a0a142e4c13859327570473d git | Not specified |
| CNA | Linux | Linux | affected 628bd3e49cba1c066228e23d71a852c23e26da73 1444ff890b4653add12f734ffeffc173d42862dd git | Not specified |
| CNA | Linux | Linux | affected 628bd3e49cba1c066228e23d71a852c23e26da73 8b68a45f9722f2babe9e7bad00aa74638addf081 git | Not specified |
| CNA | Linux | Linux | affected 628bd3e49cba1c066228e23d71a852c23e26da73 f41c5d151078c5348271ffaf8e7410d96f2d82f8 git | Not specified |
| CNA | Linux | Linux | affected bc9f791d2593f17e39f87c6e2b3a36549a3705b1 git | Not specified |
| CNA | Linux | Linux | affected 3c7ec098e3b588434a8b07ea9b5b36f04cef1f50 git | Not specified |
| CNA | Linux | Linux | affected a136b7942ad2a50de708f76ea299ccb45ac7a7f9 git | Not specified |
| CNA | Linux | Linux | affected dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41 git | Not specified |
| CNA | Linux | Linux | affected 6.4 | Not specified |
| CNA | Linux | Linux | unaffected 6.4 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.200 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.163 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.124 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.70 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.10 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.