High-Severity Vulnerability In Linux Caused By a Single Errant Character

An anonymous reader quotes a report from Ars Technica: Researchers have analyzed a high-severity vulnerability in Linux that's able to escalate untrusted users to root by exploiting a bug you don't often see: a single errant character inside the kernel. The vulnerability, tracked as CVE-2026-23111, is located in nf_tables, a subsystem of the Linux kernel that provides packet filtering capabilities. It's used to manage firewall rules and replaces older subsystems such as iptables, ip6tables, arptables, and ebtables.

The presence of a single mis-issued exclamation point in code implementing nf_tables introduced a use-after-free, a class of vulnerability that corrupts memory by placing malicious code at memory addresses that haven't been properly freed of their previous contents. CVE-2026-23111 can be exploited by an unprivileged user or process to elevate system rights to root. The exploit works by disrupting the deletion of verdicts -- a determination within the nf_tables framework that determines if a packet matches a rule calling for a certain action to be performed. This process can use what are known as catchall elements, which act as a wildcard in the event a lookup doesn't match any other element in the set.

When a verdict map is deleted from memory, catchall elements are deactivated and a chain's reference counter is decremented. When errors occur the deletion can be reversed and the counter incremented. CVE-2026-53111 allows for that process to be altered. As a result, the exploit can decrement the variable an arbitrary number of times and then delete and free the chain when some objects still point to it. Although the kernel vulnerability was fixed in February, multiple proof-of-concept exploits have since emerged, including one from FuzzingLabs in April and another from Exodus Intelligence that works on Debian and Ubuntu.

Yikes!

[Anonymous Coward]

This sounds dangerous...very dangerous! Best to stick with a safe OS like Windows.

Re: Yikes!

[liqu1d]

The knowledge it sucks makes it safer. You're under no illusions to trust it.

Re: Yikes!

[Tomahawk]

That's the joke...

Re:Yikes!

[drnb]

This sounds dangerous...very dangerous! Best to stick with a safe OS like Windows.

The safe OS would be OpenBSD, especially where firewalls are concerned

Re:

[haruchai]

This sounds dangerous...very dangerous! Best to stick with a safe OS like Windows.

The safe OS would be OpenBSD, especially where firewalls are concerned

safer perhaps but not safe. doubtful anything written in C is truly safe

Re:

[drnb]

This sounds dangerous...very dangerous! Best to stick with a safe OS like Windows.

The safe OS would be OpenBSD, especially where firewalls are concerned

safer perhaps but not safe. doubtful anything written in C is truly safe

Well I suppose CPUs are fast enough now that we could write an OS in LISP.

Re:

[gtall]

"LISP"? With dynamic scoping? That's a rats nest of programming errors waiting to happen.

Re:

[unixisc]

How about OpenBSD?

! = not

[mick232]

It probably isn't uncommon that bugs are created by erroneously adding or removing a "not" operation from code.

Re:! = not

[OrangAsm]

There are plenty of one character bugs: "=" vs "==", "," vs ";", "0" vs "O", "I" vs "l"

Re:

[gweihir]

Yes. "One character off" is not special in any way causing massive problems. It is like whoever wrote that crap has no idea what a formal language with a formal syntax is. Or how code works. The number of "characters off" is not a useful metric when discussion program semantics at all.

Re:

[drnb]

Yes. "One character off" is not special in any way causing massive problems. It is like whoever wrote that crap has no idea what a formal language with a formal syntax is. Or how code works. The number of "characters off" is not a useful metric when discussion program semantics at all.

The spurious/missing '!' is special, its sometimes a testing artifact. Not a normal I-got-the-expression-wrong sort of bug. It's sometimes done to exercise alternative code paths that are not easily triggered by user input. People sometimes screw up and leave the testing specific change in the code, especially if they did more than one at a time.

Re:

[gweihir]

Which essentially just shows how pathetic software testing is in the first place. But, yes, people do that to get "path coverage" and then forget about it.

or it's just a typo

[Anonymous Coward]

Who knows. Maybe the guy didn't hit the "!" key hard enough and didn't see it didn't show up and he wasn't looking at the screen closely. Maybe his brain focus shifted on remembering the name of nft_set_elem_active and he momentarily forgot he was supposed to type a "!". Maybe he copied and pasted "nft_set_elem_active(ext, genmask)" from somewhere else and forgot to add a "!".

There are many mental processes that result in bugs in software -- assuming he manually changed all the code for testing and then for

I wrote a one-character-off bug last month

[_merlin]

How embarrassing. [mametesters.org] At least it wasn't in security-critical software.

Why is this all over the news suddenly?

[XanC]

From what I can tell, this was patched months ago. Why is it a big splashy deal starting yesterday?

Re:

[gweihir]

Indeed. And due to the two recent kernel problems, anybody should have updated their kernels anyways. Sounds like quite the non-story to me. Slashvertisment?

Re:

[bill_mcgonigle]

I searched the CVE and saw dozens of "One Character Flaw" articles.

I wonder who came up with that angle.

It appears journalists bit on that phrase for clickbait. It got an article here, eh?

At least for Debian if you're current it hasn't been a concern for months, going by the version numbers. So not actually news, actionable, or interesting.

Re: Why is this all over the news suddenly?

[jabuzz]

Because previously it was theoretically possible to exploit the problem, there was been a working exploit with 99% reliability published in the last few says.

So, how does that cause privilege escalation?

[gweihir]

At least on my systems you need to be root do to anything with nf_tables. Is this some distro specific permission stupidity?

Re:So, how does that cause privilege escalation?

[_xeno_]

At least on my systems you need to be root do to anything with nf_tables. Is this some distro specific permission stupidity?

Maybe. There's a feature called user namespaces [kicksecure.com] in Linux that effectively allows an unprivileged user to act as if they were a privileged user within a specific environment. (Basically, containerization.) Within such a namespace, a non-privileged user could conceptually access nf_tables as if they were a privileged user. In theory this would only allow them to add additional filters within the namespace, but the vulnerability here can provide direct access to kernel memory.

Some distros add additional layers of security to prevent flaws like that, blocking access to nf_tables even within a namespace, but the vulnerability links to ways around those [archive.org]. (Link to the Wayback Machine from the source vulnerability disclosure.)

It's possible your distro may be secure - or it may not be. It depends on what features are enabled.

Re:

[gweihir]

Thanks. I do not even have user namespaces in my kernels. Did strike me as very unsafe and I do not use containers anyways.

Would that character ...

[Anonymous Coward]

... happen to be Lennart Poettering?

Re:

[sinkskinkshrieks]

Only if they suggested merging systemd into kernel space.

Bobby and the MF'in tables.

[geekmux]

The vulnerability, tracked as CVE-2026-23111, is located in nf_tables..

It's been a while since anyones dropped his name.

We sure little Bobby Tables didn't screw with this somehow..

Eats, Shoots & Leaves

[barfypoo]

Oxford commas save lives

It was a logic error, not a substituted character

[sinkskinkshrieks]

That's a bigger problem than an "oopsie!"

This is why less is more

[BrendaEM]

The more that's added, the greater the chance that something might be wrong.