Security researchers have published a detailed, working exploit for a Linux kernel use-after-free that lets an unprivileged local user escalate to root and break out of a container.
The flaw, CVE-2026-23111, sits in the kernel’s nf_tables packet-filtering code and was patched upstream on February 5, 2026. Exodus Intelligence released its full technical walkthrough on June 8, and it is not even the first public exploit: FuzzingLabs published an independent reproduction back in April.
The flaw came down to a single stray character, an inverted check in nf_tables, and the upstream fix removed it in one line. Ubuntu rates the flaw CVSS 7.8 (high). If your distribution’s kernel package does not yet include the fix, update and reboot.
The reachable setup is common: nf_tables plus unprivileged user namespaces, a Linux feature that lets an ordinary account act as root inside a private sandbox and reach kernel code it otherwise could not.
Both ship by default on most desktops and many server builds. There is no remote vector on its own. This is a bug that an attacker reaches for after getting a foothold, turning a low-privileged shell, a compromised container, or a service account into root on the host.
Exodus researcher Oliver Sieber, who found the bug in early 2025, chained it into a full local root. The exploit sets off the use-after-free, works around the kernel’s built-in memory protections, then seizes control of execution to grant itself root and break out of the container’s namespace.
He demonstrated it on Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS.
FuzzingLabs reproduced the bug on RHEL 10 ahead of Pwn2Own Berlin 2026, building its own root exploit by a different route. The timeline is tight: the fix shipped February 5, FuzzingLabs published April 16, and Exodus’s detailed write-up landed June 8.
The technique is now documented across Debian, Ubuntu, and Red Hat. Because the bug is in the mainline, any distribution that shipped a vulnerable kernel with both features enabled is exposed, unless a distribution’s hardening or namespace restrictions block the path.
CVE-2026-23111 lands in the middle of a heavy run of Linux local-root disclosures. Recent weeks have brought Copy Fail, the Dirty Frag chain, its Fragnesia variant, DirtyDecrypt, and a nine-year-old ptrace flaw that reads /etc/shadow and runs commands as root.
They differ in the details, but share the part that should worry defenders: an unprivileged foothold keeps turning into root on ordinary installs.
Update the kernel and reboot. The bug is local-only and needs unprivileged user namespaces, so focus first on systems that let untrusted users or workloads create them.
Ubuntu has fixes for 22.04, 24.04, and 25.10, and Debian fixed Bookworm and Trixie, with a 6.1 backport for Bullseye LTS. Red Hat, SUSE, and Amazon Linux track the flaw as well; check your distribution’s advisory for the…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
