CVE ID : CVE-2026-23111<\/p>\n
Published : Feb. 13, 2026, 1:29 p.m. | 59\u00a0minutes ago<\/p>\n
Description : In the Linux kernel, the following vulnerability has been resolved:<\/p>\n
netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()<\/p>\n
nft_map_catchall_activate() has an inverted element activity check
\ncompared to its non-catchall counterpart nft_mapelem_activate() and
\ncompared to what is logically required.<\/p>\n
nft_map_catchall_activate() is called from the abort path to re-activate
\ncatchall map elements that were deactivated during a failed transaction.
\nIt should skip elements that are already active (they don’t need
\nre-activation) and process elements that are inactive (they need to be
\nrestored). Instead, the current code does the opposite: it skips inactive
\nelements and processes active ones.<\/p>\n
Compare the non-catchall activate callback, which is correct:<\/p>\n
nft_mapelem_activate():
\n if (nft_set_elem_active(ext, iter->genmask))
\n return 0; \/* skip active, process inactive *\/<\/p>\n
With the buggy catchall version:<\/p>\n
nft_map_catchall_activate():
\n if (!nft_set_elem_active(ext, genmask))
\n continue; \/* skip inactive, process active *\/<\/p>\n
The consequence is that when a DELSET operation is aborted,
\nnft_setelem_data_activate() is never called for the catchall element.
\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never
\ncalled to restore the chain->use reference count. Each abort cycle
\npermanently decrements chain->use. Once chain->use reaches zero,
\nDELCHAIN succeeds and frees the chain while catchall verdict elements
\nstill reference it, resulting in a use-after-free.<\/p>\n
This is exploitable for local privilege escalation from an unprivileged
\nuser via user namespaces + nftables on distributions that enable
\nCONFIG_USER_NS and CONFIG_NF_TABLES.<\/p>\n
Fix by removing the negation so the check matches nft_mapelem_activate():
\nskip active elements, process inactive ones.<\/p>\n
Severity: 0.0 | NA<\/p>\n
Visit the link for more details, such as CVSS details, affected products, timeline, and more…\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"
CVE ID : CVE-2026-23111 Published : Feb. 13, 2026, 1:29 p.m. | 59\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-77074","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/77074","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=77074"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/77074\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=77074"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=77074"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=77074"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}