FKIE_CVE-2026-23111

Vulnerability from fkie_nvd - Published: 2026-02-13 14:16 - Updated: 2026-02-13 14:23
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()\n\nnft_map_catchall_activate() has an inverted element activity check\ncompared to its non-catchall counterpart nft_mapelem_activate() and\ncompared to what is logically required.\n\nnft_map_catchall_activate() is called from the abort path to re-activate\ncatchall map elements that were deactivated during a failed transaction.\nIt should skip elements that are already active (they don\u0027t need\nre-activation) and process elements that are inactive (they need to be\nrestored). Instead, the current code does the opposite: it skips inactive\nelements and processes active ones.\n\nCompare the non-catchall activate callback, which is correct:\n\n  nft_mapelem_activate():\n    if (nft_set_elem_active(ext, iter-\u003egenmask))\n        return 0;   /* skip active, process inactive */\n\nWith the buggy catchall version:\n\n  nft_map_catchall_activate():\n    if (!nft_set_elem_active(ext, genmask))\n        continue;   /* skip inactive, process active */\n\nThe consequence is that when a DELSET operation is aborted,\nnft_setelem_data_activate() is never called for the catchall element.\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never\ncalled to restore the chain-\u003euse reference count. Each abort cycle\npermanently decrements chain-\u003euse. Once chain-\u003euse reaches zero,\nDELCHAIN succeeds and frees the chain while catchall verdict elements\nstill reference it, resulting in a use-after-free.\n\nThis is exploitable for local privilege escalation from an unprivileged\nuser via user namespaces + nftables on distributions that enable\nCONFIG_USER_NS and CONFIG_NF_TABLES.\n\nFix by removing the negation so the check matches nft_mapelem_activate():\nskip active elements, process inactive ones."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnetfilter: nf_tables: correcci\u00f3n de la comprobaci\u00f3n genmask invertida en nft_map_catchall_activate()\n\nnft_map_catchall_activate() tiene una comprobaci\u00f3n de actividad de elemento invertida en comparaci\u00f3n con su contraparte no-catchall nft_mapelem_activate() y en comparaci\u00f3n con lo que se requiere l\u00f3gicamente.\n\nnft_map_catchall_activate() es llamada desde la ruta de aborto para reactivar elementos de mapa catchall que fueron desactivados durante una transacci\u00f3n fallida. Deber\u00eda omitir los elementos que ya est\u00e1n activos (no necesitan reactivaci\u00f3n) y procesar los elementos que est\u00e1n inactivos (necesitan ser restaurados). En cambio, el c\u00f3digo actual hace lo contrario: omite los elementos inactivos y procesa los activos.\n\nCompare la devoluci\u00f3n de llamada de activaci\u00f3n no-catchall, que es correcta:\n\n  nft_mapelem_activate():\n    if (nft_set_elem_active(ext, iter-\u0026gt;genmask))\n        return 0;   /* omitir activos, procesar inactivos */\n\nCon la versi\u00f3n catchall con errores:\n\n  nft_map_catchall_activate():\n    if (!nft_set_elem_active(ext, genmask))\n        continue;   /* omitir inactivos, procesar activos */\n\nLa consecuencia es que cuando una operaci\u00f3n DELSET es abortada, nft_setelem_data_activate() nunca es llamada para el elemento catchall. Para los elementos de veredicto NFT_GOTO, esto significa que nft_data_hold() nunca es llamada para restaurar el contador de referencias chain-\u0026gt;use. Cada ciclo de aborto decrementa permanentemente chain-\u0026gt;use. Una vez que chain-\u0026gt;use llega a cero, DELCHAIN tiene \u00e9xito y libera la cadena mientras que los elementos de veredicto catchall a\u00fan la referencian, resultando en un uso despu\u00e9s de liberaci\u00f3n.\n\nEsto es explotable para escalada de privilegios local desde un usuario sin privilegios a trav\u00e9s de espacios de nombres de usuario + nftables en distribuciones que habilitan CONFIG_USER_NS y CONFIG_NF_TABLES.\n\nCorrecci\u00f3n eliminando la negaci\u00f3n para que la comprobaci\u00f3n coincida con nft_mapelem_activate(): omitir elementos activos, procesar inactivos."
    }
  ],
  "id": "CVE-2026-23111",
  "lastModified": "2026-02-13T14:23:48.007",
  "metrics": {},
  "published": "2026-02-13T14:16:10.283",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.