[SRU][J/N/Q][PATCH 0/1] CVE-2026-23111

Tim Whisonant tim.whisonant at canonical.com
Tue Feb 24 01:07:11 UTC 2026 

SRU Justification:

[Impact]

netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()

nft_map_catchall_activate() has an inverted element activity check
compared to its non-catchall counterpart nft_mapelem_activate() and
compared to what is logically required.

nft_map_catchall_activate() is called from the abort path to re-activate
catchall map elements that were deactivated during a failed transaction.
It should skip elements that are already active (they don't need
re-activation) and process elements that are inactive (they need to be
restored). Instead, the current code does the opposite: it skips inactive
elements and processes active ones.

Compare the non-catchall activate callback, which is correct:

  nft_mapelem_activate():
    if (nft_set_elem_active(ext, iter->genmask))
        return 0;   /* skip active, process inactive */

With the buggy catchall version:

  nft_map_catchall_activate():
    if (!nft_set_elem_active(ext, genmask))
        continue;   /* skip inactive, process active */

The consequence is that when a DELSET operation is aborted,
nft_setelem_data_activate() is never called for the catchall element.
For NFT_GOTO verdict elements, this means nft_data_hold() is never
called to restore the chain->use reference count. Each abort cycle
permanently decrements chain->use. Once chain->use reaches zero,
DELCHAIN succeeds and frees the chain while catchall verdict elements
still reference it, resulting in a use-after-free.

This is exploitable for local privilege escalation from an unprivileged
user via user namespaces + nftables on distributions that enable
CONFIG_USER_NS and CONFIG_NF_TABLES.

Fix by removing the negation so the check matches nft_mapelem_activate():
skip active elements, process inactive ones.

[Fix]

Questing: applied Jammy patch
Noble:    applied Jammy patch
Jammy:    cherry picked from upstream
Focal:    not affected
Bionic:   not affected
Xenial:   not affected
Trusty:   not affected

[Test Plan]

Compile and boot tested.

[Where problems could occur]

The fix corrects a logic error in the core nftables API,
specifically in the abort path for failed transactions.
Errors might appear as failures to reinstate these catch-
all map elements as active.

Andrew Fasano (1):
  netfilter: nf_tables: fix inverted genmask check in
    nft_map_catchall_activate()

 net/netfilter/nf_tables_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.43.0

More information about the kernel-team mailing list