Exodus Intelligence publishes working exploit for a one-character Linux kernel nf_tables use-after-free (CVE-2026-23111)
From CTI Daily Brief — 2026-06-09 · published 2026-06-09 · view item permalink →
Exodus Intelligence released a full technical write-up and working exploit for CVE-2026-23111, a use-after-free in the Linux kernel nf_tables subsystem caused by a single misplaced ! operator in nft_map_catchall_activate() that inverts the genmask check and skips inactive catchall elements during the abort path (Exodus Intelligence, 2026-06-08). Exodus reports >99% reliability on idle Debian Bookworm/Trixie and Ubuntu 22.04/24.04 LTS, yielding unprivileged-local-user to root escalation and container escape (T1068, T1611) (The Hacker News, 2026-06-08). The flaw was patched upstream on 5 February 2026; distro packages are shipping the fix (Ubuntu Security, rated 7.8). No network-reachable path exists — exploitation requires local access or code execution inside a container, making this high-value post-exploitation tooling for shared compute (Kubernetes nodes, CI/CD runners, multi-tenant VMs).
Why it matters to us: With a reliable public exploit now available, the patch gap is the exposure. Apply vendor kernel updates containing the 5 February upstream fix; in container environments enforce seccomp and AppArmor/SELinux profiles that restrict nf_tables syscalls for untrusted workloads. Detection concepts: anomalous UID transitions to 0 from non-root parents (Linux audit execve/setuid records); unexpected privileged process spawns inside containers.