CVE-2026-23111, the Linux kernel nf_tables use-after-free vulnerability with public exploit code, requires immediate assessment across Linux production environments. This guide provides distribution-specific patch availability, interim mitigations for environments that cannot immediately patch, and detection content for runtime security monitoring.
Patch Availability by Distribution
| Distribution | Status | Update Command |
|---|---|---|
| Ubuntu 22.04 LTS (kernel 5.15) | Patch available β USN published June 10 | apt-get update && apt-get dist-upgrade linux-image-generic |
| Ubuntu 24.04 LTS (kernel 6.8) | Patch available | apt-get update && apt-get dist-upgrade linux-image-generic |
| Debian 12 Bookworm (kernel 6.1) | Patch available β DSA published June 10 | apt-get update && apt-get dist-upgrade linux-image-amd64 |
| RHEL 9 / AlmaLinux 9 / Rocky Linux 9 | Patch available β RHSA published June 10 | dnf update kernel |
| RHEL 8 | Patch under review β timeline June 12β14 | Monitor RHSA channel |
| Amazon Linux 2023 | Patch available β ALAS published June 11 | yum update kernel |
| Amazon Linux 2 | Patch under review | Monitor AWS security bulletins |
| SLES 15 SP5/SP6 | Patch available β SUSE-SU published June 11 | zypper update -t patch |
Post-patch requirement: A reboot is required to load the patched kernel. Live kernel patching (Canonical Livepatch, RHELβs kpatch) may allow patching without reboot β consult your live patch vendor for CVE-2026-23111 availability.
Interim Mitigations
Option 1: Unload the nf_tables kernel module (highest effectiveness, limited applicability)
If nf_tables is not actively in use for firewall rules, unloading the module removes the vulnerable code from the running kernel:
# Check for active nf_tables rules
nft list ruleset
# If empty output, safe to unload
modprobe -r nf_tables
# Prevent automatic reload
echo "install nf_tables /bin/true" >> /etc/modprobe.d/disable-nftables.confLimitation: Systems using firewalld, ufw, or iptables in nf_tables mode (default in RHEL 8/9, Ubuntu 20.04+, Debian 10+) cannot unload nf_tables without losing their firewall rules. Verify the firewall backend before attempting this mitigation.
Option 2: Restrict unprivileged user namespaces (moderate effectiveness)
The CVE-2026-23111 exploit requires the ability to create user namespaces, which is needed for the race condition setup. Restricting this capability blocks the exploit path used by the public PoC:
# On systems using sysctl (most Linux distributions)
sysctl -w kernel.unprivileged_userns_clone=0
# Make persistent
echo "kernel.unprivileged_userns_clone=0" >> /etc/sysctl.confLimitation: This mitigation may break applications that use user namespaces for sandboxing (Chrome/Chromium, Firefox, some container runtimes). Test in non-production before applying.
Option 3: AppArmor/SELinux profile hardening (defence-in-depth)
Linux Security Module profiles can restrict nf_tables operations to root-only, blocking unprivileged access to the vulnerable code path. This is distribution-specific:
- Ubuntu/Debian with AppArmor: Restrict
@{PROC}/*/net/nf_conntrackandcapability net_adminin profiles for potentially exploitable services - RHEL/Rocky/Alma with SELinux: Verify
nftables_rule_trestrictions are in place (enforcing mode provides default restrictions)
Detection: Falco Rules for CVE-2026-23111
For environments using Falco for runtime security monitoring:
- rule: CVE-2026-23111 nf_tables Exploitation Attempt
desc: Detects kernel privilege escalation via nf_tables use-after-free
condition: >
spawned_process and
not user.uid = 0 and
proc.name = "nft" and
syscall.type = "clone" and
proc.pid != proc.vpid
output: >
Potential CVE-2026-23111 exploitation - nft clone from unprivileged user
(user=%user.name uid=%user.uid proc=%proc.name pid=%proc.pid parent=%proc.pname)
priority: CRITICAL
tags: [CVE-2026-23111, privilege_escalation, linux_kernel]
- rule: Unexpected Root Process Spawned from Container
desc: Post-exploitation indicator - container escape to root
condition: >
spawned_process and
container and
user.uid = 0 and
not proc.name in (container_entrypoint_processes)
output: >
Root process spawned in container - possible container escape
(user=%user.name container=%container.id image=%container.image proc=%proc.name)
priority: CRITICAL
tags: [container_escape, privilege_escalation]Kubernetes-Specific Guidance
In Kubernetes environments, CVE-2026-23111 is a node-level kernel vulnerability. Any pod running on the affected node can potentially exploit it to escape the container to the node.
Prioritise patching nodes: All Kubernetes worker nodes running affected kernel versions need the patch. Control plane nodes are also affected if they run standard Linux kernels.
PodSecurityAdmission controls: Ensure the restricted PodSecurityAdmission level is applied to untrusted workload namespaces. The restricted profile denies pods from running privileged containers and blocks capabilities like NET_ADMIN β reducing the attack surface but not eliminating CVE-2026-23111 as the PoC uses standard syscalls.
Temporary isolation: For multi-tenant clusters where isolation between workloads is critical, consider draining nodes that cannot be immediately patched and restricting workloads to patched nodes only.
Node monitoring: If Azure Defender for Kubernetes, AWS Defender for EKS, or equivalent is deployed, enable the kernel-level detection rules that flag privilege escalation attempts from container processes β these rules detect the post-exploitation phase even if the initial exploit is not caught.
Share this article