High-Severity Vulnerability In Linux Caused By a Single Errant Character (arstechnica.com)
(Tuesday June 09, 2026 @05:00PM (BeauHD)
from the one-character-root-access dept.)
- Reference: 0183718930
- News link: https://it.slashdot.org/story/26/06/09/181245/high-severity-vulnerability-in-linux-caused-by-a-single-errant-character
- Source link: https://arstechnica.com/security/2026/06/a-single-errant-character-in-the-linux-kernel-allows-attacker-to-gain-root/
An anonymous reader quotes a report from Ars Technica:
> Researchers have [1]analyzed a high-severity vulnerability in Linux that's able to escalate untrusted users to root by exploiting a bug you don't often see: [2]a single errant character inside the kernel . The vulnerability, tracked as [3]CVE-2026-23111 , is located in nf_tables, a subsystem of the Linux kernel that provides packet filtering capabilities. It's used to manage firewall rules and replaces older subsystems such as iptables, ip6tables, arptables, and ebtables.
>
> The presence of a single mis-issued exclamation point in code implementing nf_tables introduced a use-after-free, a class of vulnerability that corrupts memory by placing malicious code at memory addresses that haven't been properly freed of their previous contents. CVE-2026-23111 can be exploited by an unprivileged user or process to elevate system rights to root. The exploit works by disrupting the deletion of verdicts -- a determination within the nf_tables framework that determines if a packet matches a rule calling for a certain action to be performed. This process can use what are known as catchall elements, which act as a wildcard in the event a lookup doesn't match any other element in the set.
>
> When a verdict map is deleted from memory, catchall elements are deactivated and a chain's reference counter is decremented. When errors occur the deletion can be reversed and the counter incremented. CVE-2026-53111 allows for that process to be altered. As a result, the exploit can decrement the variable an arbitrary number of times and then delete and free the chain when some objects still point to it.
Although the kernel vulnerability was [4]fixed in February, multiple proof-of-concept exploits have since emerged, including [5]one from FuzzingLabs in April and [6]another from Exodus Intelligence that works on Debian and Ubuntu.
[1] https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/
[2] https://arstechnica.com/security/2026/06/a-single-errant-character-in-the-linux-kernel-allows-attacker-to-gain-root/
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-23111
[4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f41c5d151078c5348271ffaf8e7410d96f2d82f8
[5] https://fuzzinglabs.com/repro-cve-2026-23111/
[6] https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/
> Researchers have [1]analyzed a high-severity vulnerability in Linux that's able to escalate untrusted users to root by exploiting a bug you don't often see: [2]a single errant character inside the kernel . The vulnerability, tracked as [3]CVE-2026-23111 , is located in nf_tables, a subsystem of the Linux kernel that provides packet filtering capabilities. It's used to manage firewall rules and replaces older subsystems such as iptables, ip6tables, arptables, and ebtables.
>
> The presence of a single mis-issued exclamation point in code implementing nf_tables introduced a use-after-free, a class of vulnerability that corrupts memory by placing malicious code at memory addresses that haven't been properly freed of their previous contents. CVE-2026-23111 can be exploited by an unprivileged user or process to elevate system rights to root. The exploit works by disrupting the deletion of verdicts -- a determination within the nf_tables framework that determines if a packet matches a rule calling for a certain action to be performed. This process can use what are known as catchall elements, which act as a wildcard in the event a lookup doesn't match any other element in the set.
>
> When a verdict map is deleted from memory, catchall elements are deactivated and a chain's reference counter is decremented. When errors occur the deletion can be reversed and the counter incremented. CVE-2026-53111 allows for that process to be altered. As a result, the exploit can decrement the variable an arbitrary number of times and then delete and free the chain when some objects still point to it.
Although the kernel vulnerability was [4]fixed in February, multiple proof-of-concept exploits have since emerged, including [5]one from FuzzingLabs in April and [6]another from Exodus Intelligence that works on Debian and Ubuntu.
[1] https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/
[2] https://arstechnica.com/security/2026/06/a-single-errant-character-in-the-linux-kernel-allows-attacker-to-gain-root/
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-23111
[4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f41c5d151078c5348271ffaf8e7410d96f2d82f8
[5] https://fuzzinglabs.com/repro-cve-2026-23111/
[6] https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel/
! = not (Score:4, Insightful)
by mick232 ( 1610795 )
It probably isn't uncommon that bugs are created by erroneously adding or removing a "not" operation from code.
Re: (Score:3)
by OrangAsm ( 678078 )
There are plenty of one character bugs: "=" vs "==", "," vs ";", "0" vs "O", "I" vs "l"
Why is this all over the news suddenly? (Score:2)
by XanC ( 644172 )
From what I can tell, this was patched months ago. Why is it a big splashy deal starting yesterday?
Re: (Score:2)
by gweihir ( 88907 )
Indeed. And due to the two recent kernel problems, anybody should have updated their kernels anyways. Sounds like quite the non-story to me. Slashvertisment?
So, how does that cause privilege escalation? (Score:3)
by gweihir ( 88907 )
At least on my systems you need to be root do to anything with nf_tables. Is this some distro specific permission stupidity?
Yikes! (Score:3, Funny)
This sounds dangerous...very dangerous! Best to stick with a safe OS like Windows.
Re: Yikes! (Score:1)
The knowledge it sucks makes it safer. You're under no illusions to trust it.
Re: Yikes! (Score:2)
That's the joke...
Re: (Score:3)
> This sounds dangerous...very dangerous! Best to stick with a safe OS like Windows.
The safe OS would be OpenBSD, especially where firewalls are concerned