Linux Kernel CVE-2026-23111: nf_tables Use-After-Free Enables Container Escape and Root Privilege Escalation

A critical use-after-free vulnerability in the Linux kernel’s nf_tables netfilter subsystem has a publicly available proof-of-concept exploit as of 9 June 2026. CVE-2026-23111 allows a local unprivileged user to corrupt kernel memory and gain root privilege — and in containerised environments, to break out of container isolation entirely, accessing the host kernel and any co-tenant containers.

Vulnerability Details

nf_tables is the Linux kernel’s modern packet filtering subsystem, introduced as a replacement for iptables. It is used extensively in enterprise Linux deployments for firewall rules, NAT, and traffic shaping — and is the default firewall backend in many Linux distributions including Debian, Ubuntu, RHEL 9, and derivatives.

CVE-2026-23111 is a use-after-free in the nf_tables rule transaction path. During a concurrent modification of nf_tables rules, a freed memory object can be accessed by the kernel’s transaction handler, resulting in type confusion and eventual arbitrary code execution in kernel context.

CVSS score: 7.8 (High). Local access vector, no privileges, no user interaction. Impact: complete integrity and confidentiality compromise of the affected host.

Affected versions: Linux kernel 5.15 through 6.10. Kernel 6.11 and later include the upstream fix. Most enterprise Linux distributions are in the affected range:

• Ubuntu 22.04 LTS (kernel 5.15)
• Ubuntu 24.04 LTS (kernel 6.8)
• Debian 12 Bookworm (kernel 6.1)
• RHEL 9 and derivatives (kernel 5.14-based)
• SLES 15 SP5/SP6

Not affected: Systems where nf_tables is disabled via kernel command line (nft_tables.enabled=0) or where the NFT_NEW_TABLE capability is restricted.

Container Escape Significance

The most critical aspect of CVE-2026-23111 in enterprise environments is the container escape vector. Container isolation in Linux is implemented primarily through kernel namespaces and cgroups — not through separate privilege domains. A local privilege escalation to root in the host kernel breaks container boundaries entirely.

In containerised environments (Kubernetes, Docker Swarm, bare-metal container deployments):

1. An attacker with code execution in any container on the node can trigger CVE-2026-23111
2. Escalation to root on the host provides access to all container filesystems, secrets mounted as volumes, and service account tokens
3. From the host, the attacker can access the Kubernetes API (if credentials are available) or pivot to adjacent nodes

This makes CVE-2026-23111 particularly dangerous in multi-tenant Kubernetes environments where containers from different workloads or tenants share the same kernel.

Exploitation Requirements

The public proof-of-concept requires:

• Local user access (any unprivileged shell on the target system)
• Kernel compiled with nf_tables support (standard in all major distributions)
• No special capabilities required — standard unprivileged user account is sufficient

This means any user account compromise — through web application exploitation, exposed service, or credential theft — is sufficient to trigger a full host compromise via CVE-2026-23111.

Recommended Actions

Patch: Apply the kernel update from your distribution’s security repository as soon as available. Most major distributions published advisories alongside the PoC release on 9 June:

• Ubuntu: apt-get update && apt-get install linux-image-generic (USN pending at time of writing; apply when released)
• RHEL/CentOS Stream/AlmaLinux/Rocky: dnf update kernel
• Debian: apt-get update && apt-get install linux-image-amd64

Mitigation (pending patch): Disable nf_tables if not required for active firewall rules:

# Check if nf_tables is in use for active rules
nft list ruleset
# If no rules are active, unload the module
modprobe -r nf_tables
# Prevent autoload
echo "install nf_tables /bin/true" > /etc/modprobe.d/disable-nftables.conf

Note: If nf_tables is used for active firewall rules (common on systems using firewalld or ufw with nftables backend), this mitigation is not applicable without replacing the firewall rule set.

Kubernetes environments: Prioritise patching nodes in multi-tenant clusters. If immediate patching is not feasible, consider restricting workloads on shared nodes to trusted workloads only until the patch is applied.

Detection: Monitor for unusual privilege escalation patterns — unexpected setuid executions, processes spawning as root from non-root parent processes, or unexpected writes to /etc/passwd, /etc/shadow, or cron directories. eBPF-based runtime security tools (Falco, Tetragon) will detect the post-exploitation pattern if the rule set includes privilege escalation detection.