Share
## https://sploitus.com/exploit?id=42AB7263-83ED-599E-9DD2-2E97F2B90A99
# CVE-2026-23111 PoC
Linux Kernel nf_tables Use-After-Free (Local Privilege Escalation)
## Vulnerability Summary
- **CVE**: CVE-2026-23111
- **Type**: Use-After-Free (CWE-416)
- **CVSS**: 7.8 (HIGH)
- **Component**: `net/netfilter/nf_tables_api.c` โ `nft_map_catchall_activate()`
- **Root Cause**: Inverted genmask check causes chain reference counter leak during transaction abort
### Affected Kernel Versions
| Version Range | Fixed In |
|---|---|
| 6.19-rc1 to 6.19-rc8 | 6.19-rc9+ |
| 6.13 to 6.18.9 | 6.18.10 |
| 6.7 to 6.12.69 | 6.12.70 |
| 6.4.1 to 6.6.123 | 6.6.124 |
| 6.1.36 to 6.1.162 | 6.1.163 |
| 5.15.121 to 5.15.199 | 5.15.200 |
| 5.10.188+, 5.4.262+, 4.19.316+ | Various LTS |
## Quick Start
```bash
# Check vulnerability
python3 CVE-2026-23111-checker.py --detailed
# Build exploit
make
# Run PoC
./exploit -d
```
## Exploit Stages
### Phase 1: UAF Trigger โ
WORKING
Creates a pipapo map set with a catchall element (goto victim chain), then uses the inverted genmask bug during a DELSET abort to corrupt `chain->use`. After advancing the generation counter, `DELCHAIN` succeeds despite dangling references, freeing the chain.
### Phase 2: KASLR Leak ๐ง In Progress
After the UAF, `chain->name` memory is freed. We spray `seq_operations` structures (32 bytes) by opening `/proc/self/stat` to reclaim the freed slab cache slot. Reading back the set's catchall element reveals kernel function pointers.
### Phase 3: Heap Address Leak ๐ง In Progress
Re-triggers the UAF with a longer chain name (140 bytes โ kmalloc-cg-192), then sprays `nft_rule` objects to reclaim the memory. The leaked `list_head` pointers reveal heap addresses.
### Phase 4: Control Flow Hijack & ROP ๐ฒ Requires kernel struct offsets
Requires:
- Kernel struct layouts (nft_chain, nft_expr, nft_expr_ops, nft_rule_blob)
- ROP gadgets (automatically scanned from /proc/kcore)
- Spray primitive for kmalloc-cg-128 (chain struct size)
## Technical Details
### The Bug
In `nft_map_catchall_activate()` (`net/netfilter/nf_tables_api.c`):
```c
list_for_each_entry(catchall, &set->catchall_list, list) {
ext = nft_set_elem_ext(set, catchall->elem);
if (!nft_set_elem_active(ext, genmask)) // BUG: should be without '!'
continue;
nft_clear(ctx->net, ext);
nft_setelem_data_activate(ctx->net, set, catchall->elem);
break;
}
```
The `!` causes the function to skip INACTIVE elements instead of processing them. During transaction abort, the catchall element (which was just deactivated by DELSET) is skipped, so `nft_data_hold()` is never called to restore the chain reference counter.
### Exploit Mechanism
1. Create pipapo map set with catchall element โ goto victim chain
2. **Batch A**: DELSET + invalid op โ abort โ chain->use stays at 0
3. **Batch B**: Valid transaction โ advance genid
4. **Batch C**: DELCHAIN โ chain freed (chain->use == 0, but dangling ref exists)
5. Set's catchall element still references freed chain name โ spray + readback
## Files
```
โโโ CVE-2026-23111-checker.py Vulnerability detection script
โโโ exploit.c Main exploit source
โโโ Makefile Build configuration
โโโ README.md This file
```
## Build Requirements
```bash
apt-get install -y libmnl-dev libnftnl-dev gcc make python3
```
## References
- [Exodus Intel Blog - Detailed Analysis](https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-23111)
- [Kernel Patch 1](https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd)
- [Kernel Patch 2](https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d)
## Mitigation
1. Update kernel to patched version (6.18.10+, 6.12.70+, 6.6.124+, etc.)
2. Disable unprivileged user namespaces: `sysctl kernel.unprivileged_userns_clone=0`
3. Blacklist `nf_tables` module if not needed