Share
## https://sploitus.com/exploit?id=EB1B1C01-A5A0-574A-B294-7FDBCFB1D494
# CVE-2026-23111

For more details, see `notes.md`

## Description

[CVE Description](https://nvd.nist.gov/vuln/detail/CVE-2026-23111) from NIST

An inverted logical check in `nft_map_catchall_activate()` causes `nft_chain->use` reference count to not be restored when a `DELSET` operation is aborted. This allows triggering UAF, and can be abused to obtain **local privilege escalation**

The bug was fixed in commit [1444ff890b4653add12f734ffeffc173d42862dd](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1444ff890b4653add12f734ffeffc173d42862dd)

## Pre-Requisites

- Linux Kernel version 6.12.69 and below contains this inverted check
- `CONFIG_USER_NS` and `CONFIG_NF_TABLES` must not be disabled


## References

Credits to the following which helped me in understanding and creating this PoC:  
- FuzzingLabs - [Reproducing CVE-2026-23111: How one character can change everything](https://fuzzinglabs.com/repro-cve-2026-23111/)
- Exodus Intel - [Off By !: Exploiting a Use-after-Free in the Linux Kernel](https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/)

Reference for creating nf_tables:  
- [CVE-2023-31248](https://github.com/star-sg/CVE/blob/master/CVE-2023-31248/exploit.c)
    - a lot of the logic was quite similar, so this was a very good reference


# No License

The code in this repository comes with no attached license.

THE SOFTWARE [and this disclaimer] IS PROVIDED โ€œAS ISโ€, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.