A use-after-free vulnerability in the Linux kernelβs netfilter nf_tables subsystem β the component underpinning modern Linux firewall rules, network address translation, and packet filtering β can be exploited by an unprivileged local attacker to obtain root-level code execution on affected systems. The flaw, assigned CVE-2026-23231, has a CVSS v3.1 base score of 7.5 and carries a HIGH severity rating.
The vulnerability follows a familiar and well-trodden attack pattern in nf_tables: improper synchronisation during table rule set modification under concurrent load creates a window in which freed memory can be accessed, corrupted, and leveraged to control kernel execution flow.
Technical Details
The flaw exists in the nft_chain_release_hook() function within net/netfilter/nf_tables_api.c. When a chain is deleted while a packet traversal is in progress on a separate CPU, the hook deregistration routine can access the nft_hook structure after it has been freed by the chain teardown path. On kernels compiled with SLAB allocators (the default on most distribution kernels), the freed memory can be reallocated and overwritten by an attacker-controlled allocation before the dangling pointer is dereferenced.
A public proof-of-concept demonstrating local privilege escalation to root on Ubuntu 24.04 LTS was published alongside the CVE disclosure, lowering the exploitation barrier significantly. The PoC requires only unprivileged user access and the ability to create network namespaces β a capability enabled by default on Ubuntu, Debian, and many containerised workloads.
Affected kernel versions: 5.14 through 6.9.26 (inclusive). Kernels below 5.14 do not contain the affected nf_tables hook management code introduced in that series.
| Distribution | Affected Version | Fix Available |
|---|---|---|
| RHEL / AlmaLinux / Rocky 9 | kernel-5.14.0-xxx < 5.14.0-570 | kernel-5.14.0-570.el9 |
| Ubuntu 24.04 LTS | 6.8.x < 6.8.0-61 | linux-image-6.8.0-61 |
| Ubuntu 22.04 LTS | 5.15.x < 5.15.0-135 | linux-image-5.15.0-135 |
| Debian 12 (Bookworm) | 6.1.x < 6.1.135 | linux-image-6.1.135 |
| SLES 15 SP6 | 6.4.x | SUSE-SU-2026:1412 |
| Upstream stable | β€ 6.9.26 | 6.9.27 |
Exploitation Context
The vulnerability is locally exploitable only β network-based exploitation is not possible directly. However, this scope is misleading in practice. Container environments where user_namespaces is enabled (the default in Kubernetes, Docker, and most PaaS runtimes) allow an attacker who achieves code execution inside a container to escalate to root and subsequently escape the container namespace using established kernel exploitation techniques.
Cloud and enterprise environments running untrusted workloads in shared Kubernetes clusters or multi-tenant VMs are therefore at elevated risk. An attacker who gains initial foothold through a vulnerable application running inside a container could chain CVE-2026-23231 to achieve node-level compromise.
No confirmed in-the-wild exploitation has been reported as of publication, but the availability of a functional PoC makes rapid exploitation likely.
Recommended Actions
- Apply distribution kernel updates immediately β all major distributions have issued stable kernel packages within 48 hours; this is a high-priority patch cycle, not one to defer to a monthly window.
- Restrict user namespace creation β on systems where it is not operationally required:
sysctl -w kernel.unprivileged_userns_clone=0(Ubuntu/Debian) orsysctl -w user.max_user_namespaces=0(RHEL/derivatives). This mitigates the PoC but is not a comprehensive fix. - Audit container runtime configurations β review which Kubernetes pods and Docker containers run with
--privilegedor elevatedseccompprofiles; privilege escalation via kernel bugs is most impactful from these entry points. - Monitor for exploitation indicators β watch for unexpected suid binary executions,
/proc/sys/kernel/modification attempts, and unusual network namespace creation events in kernel audit logs or EDR telemetry.
Share this article