| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026021300-CVE-2026-23111-9762@gregkh>
Date: Fri, 13 Feb 2026 14:30:00 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2026-23111: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
nft_map_catchall_activate() has an inverted element activity check
compared to its non-catchall counterpart nft_mapelem_activate() and
compared to what is logically required.
nft_map_catchall_activate() is called from the abort path to re-activate
catchall map elements that were deactivated during a failed transaction.
It should skip elements that are already active (they don't need
re-activation) and process elements that are inactive (they need to be
restored). Instead, the current code does the opposite: it skips inactive
elements and processes active ones.
Compare the non-catchall activate callback, which is correct:
nft_mapelem_activate():
if (nft_set_elem_active(ext, iter->genmask))
return 0; /* skip active, process inactive */
With the buggy catchall version:
nft_map_catchall_activate():
if (!nft_set_elem_active(ext, genmask))
continue; /* skip inactive, process active */
The consequence is that when a DELSET operation is aborted,
nft_setelem_data_activate() is never called for the catchall element.
For NFT_GOTO verdict elements, this means nft_data_hold() is never
called to restore the chain->use reference count. Each abort cycle
permanently decrements chain->use. Once chain->use reaches zero,
DELCHAIN succeeds and frees the chain while catchall verdict elements
still reference it, resulting in a use-after-free.
This is exploitable for local privilege escalation from an unprivileged
user via user namespaces + nftables on distributions that enable
CONFIG_USER_NS and CONFIG_NF_TABLES.
Fix by removing the negation so the check matches nft_mapelem_activate():
skip active elements, process inactive ones.
The Linux kernel CVE team has assigned CVE-2026-23111 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.15.121 with commit 25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8 and fixed in 5.15.200 with commit 8c760ba4e36c750379d13569f23f5a6e185333f5
Issue introduced in 6.1.36 with commit d60be2da67d172aecf866302c91ea11533eca4d9 and fixed in 6.1.163 with commit b9b6573421de51829f7ec1cce76d85f5f6fbbd7f
Issue introduced in 6.4 with commit 628bd3e49cba1c066228e23d71a852c23e26da73 and fixed in 6.6.124 with commit 42c574c1504aa089a0a142e4c13859327570473d
Issue introduced in 6.4 with commit 628bd3e49cba1c066228e23d71a852c23e26da73 and fixed in 6.12.70 with commit 1444ff890b4653add12f734ffeffc173d42862dd
Issue introduced in 6.4 with commit 628bd3e49cba1c066228e23d71a852c23e26da73 and fixed in 6.18.10 with commit 8b68a45f9722f2babe9e7bad00aa74638addf081
Issue introduced in 6.4 with commit 628bd3e49cba1c066228e23d71a852c23e26da73 and fixed in 6.19 with commit f41c5d151078c5348271ffaf8e7410d96f2d82f8
Issue introduced in 4.19.316 with commit bc9f791d2593f17e39f87c6e2b3a36549a3705b1
Issue introduced in 5.4.262 with commit 3c7ec098e3b588434a8b07ea9b5b36f04cef1f50
Issue introduced in 5.10.188 with commit a136b7942ad2a50de708f76ea299ccb45ac7a7f9
Issue introduced in 6.3.10 with commit dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2026-23111
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/netfilter/nf_tables_api.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5
https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f
https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d
https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd
https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081
https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8
Powered by blists - more mailing lists