{"id":"CVE-2026-23111","summary":"netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()\n\nnft_map_catchall_activate() has an inverted element activity check\ncompared to its non-catchall counterpart nft_mapelem_activate() and\ncompared to what is logically required.\n\nnft_map_catchall_activate() is called from the abort path to re-activate\ncatchall map elements that were deactivated during a failed transaction.\nIt should skip elements that are already active (they don't need\nre-activation) and process elements that are inactive (they need to be\nrestored). Instead, the current code does the opposite: it skips inactive\nelements and processes active ones.\n\nCompare the non-catchall activate callback, which is correct:\n\n  nft_mapelem_activate():\n    if (nft_set_elem_active(ext, iter-\u003egenmask))\n        return 0;   /* skip active, process inactive */\n\nWith the buggy catchall version:\n\n  nft_map_catchall_activate():\n    if (!nft_set_elem_active(ext, genmask))\n        continue;   /* skip inactive, process active */\n\nThe consequence is that when a DELSET operation is aborted,\nnft_setelem_data_activate() is never called for the catchall element.\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never\ncalled to restore the chain-\u003euse reference count. Each abort cycle\npermanently decrements chain-\u003euse. Once chain-\u003euse reaches zero,\nDELCHAIN succeeds and frees the chain while catchall verdict elements\nstill reference it, resulting in a use-after-free.\n\nThis is exploitable for local privilege escalation from an unprivileged\nuser via user namespaces + nftables on distributions that enable\nCONFIG_USER_NS and CONFIG_NF_TABLES.\n\nFix by removing the negation so the check matches nft_mapelem_activate():\nskip active elements, process inactive ones.","modified":"2026-04-24T06:42:50.481140205Z","published":"2026-02-13T13:29:55.895Z","related":["ALSA-2026:6570","SUSE-SU-2026:0962-1","SUSE-SU-2026:1041-1","SUSE-SU-2026:1081-1","SUSE-SU-2026:1180-1","SUSE-SU-2026:1185-1","SUSE-SU-2026:1187-1","SUSE-SU-2026:1188-1","SUSE-SU-2026:1189-1","SUSE-SU-2026:1225-1","SUSE-SU-2026:1236-1","SUSE-SU-2026:1239-1","SUSE-SU-2026:1244-1","SUSE-SU-2026:1259-1","SUSE-SU-2026:1261-1","SUSE-SU-2026:1262-1","SUSE-SU-2026:1266-1","SUSE-SU-2026:1271-1","SUSE-SU-2026:1272-1","SUSE-SU-2026:1274-1","SUSE-SU-2026:1278-1","SUSE-SU-2026:1279-1","SUSE-SU-2026:1283-1","SUSE-SU-2026:1284-1","SUSE-SU-2026:20667-1","SUSE-SU-2026:20720-1","SUSE-SU-2026:20838-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","SUSE-SU-2026:20931-1","SUSE-SU-2026:21004-1","SUSE-SU-2026:21005-1","SUSE-SU-2026:21006-1","SUSE-SU-2026:21007-1","SUSE-SU-2026:21008-1","SUSE-SU-2026:21009-1","SUSE-SU-2026:21020-1","SUSE-SU-2026:21040-1","SUSE-SU-2026:21041-1","SUSE-SU-2026:21042-1","SUSE-SU-2026:21043-1","SUSE-SU-2026:21044-1","SUSE-SU-2026:21045-1","SUSE-SU-2026:21046-1","SUSE-SU-2026:21047-1","SUSE-SU-2026:21048-1","SUSE-SU-2026:21049-1","SUSE-SU-2026:21050-1","SUSE-SU-2026:21051-1","SUSE-SU-2026:21052-1","SUSE-SU-2026:21053-1","SUSE-SU-2026:21054-1","SUSE-SU-2026:21055-1","SUSE-SU-2026:21056-1","SUSE-SU-2026:21057-1","SUSE-SU-2026:21058-1","SUSE-SU-2026:21059-1","SUSE-SU-2026:21060-1","SUSE-SU-2026:21061-1","SUSE-SU-2026:21070-1","SUSE-SU-2026:21071-1","SUSE-SU-2026:21072-1","SUSE-SU-2026:21073-1","SUSE-SU-2026:21074-1","SUSE-SU-2026:21075-1","SUSE-SU-2026:21076-1","SUSE-SU-2026:21077-1","SUSE-SU-2026:21078-1","SUSE-SU-2026:21079-1","SUSE-SU-2026:21080-1","SUSE-SU-2026:21081-1","SUSE-SU-2026:21082-1","SUSE-SU-2026:21083-1","SUSE-SU-2026:21084-1","SUSE-SU-2026:21085-1","SUSE-SU-2026:21086-1","SUSE-SU-2026:21087-1","SUSE-SU-2026:21088-1","SUSE-SU-2026:21089-1","SUSE-SU-2026:21090-1","SUSE-SU-2026:21091-1","SUSE-SU-2026:21096-1","SUSE-SU-2026:21098-1","SUSE-SU-2026:21099-1","SUSE-SU-2026:21100-1","SUSE-SU-2026:21102-1","SUSE-SU-2026:21216-1","SUSE-SU-2026:21217-1","SUSE-SU-2026:21218-1","SUSE-SU-2026:21219-1","SUSE-SU-2026:21220-1","SUSE-SU-2026:21221-1","openSUSE-SU-2026:20416-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23111.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23111.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23111"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8"},{"fixed":"8c760ba4e36c750379d13569f23f5a6e185333f5"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d60be2da67d172aecf866302c91ea11533eca4d9"},{"fixed":"b9b6573421de51829f7ec1cce76d85f5f6fbbd7f"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"628bd3e49cba1c066228e23d71a852c23e26da73"},{"fixed":"42c574c1504aa089a0a142e4c13859327570473d"},{"fixed":"1444ff890b4653add12f734ffeffc173d42862dd"},{"fixed":"8b68a45f9722f2babe9e7bad00aa74638addf081"},{"fixed":"f41c5d151078c5348271ffaf8e7410d96f2d82f8"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"bc9f791d2593f17e39f87c6e2b3a36549a3705b1"},{"last_affected":"3c7ec098e3b588434a8b07ea9b5b36f04cef1f50"},{"last_affected":"a136b7942ad2a50de708f76ea299ccb45ac7a7f9"},{"last_affected":"dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23111.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}