Contact us
Contact us

News

About

Home Crypto News One-character nf_tables bug lets local users gain root

One-character nf_tables bug lets local users gain root

Author Whitewallet Research
Posted: 8 June 2026, 21:03 CET 2 min read

A one-character bug in Linux nf_tables lets unprivileged local users escalate to root and escape containers; an upstream patch was issued Feb. 5, 2026 and public exploits followed in April and June.

A one-character bug in the Linux kernel’s nf_tables packet-filtering code can let an unprivileged local user gain root and break out of a container. The flaw is tracked as CVE-2026-23111. The upstream kernel fix was released Feb. 5, 2026. Public exploit write-ups appeared April 16 and June 8. Ubuntu assigned a CVSS score of 7.8 (high).

The bug is a use-after-free that arose from an inverted conditional check in the nf_tables code. The upstream patch removed a single character in a one-line change to correct the condition and stop the free-after-use scenario.

Two independent teams published working demonstrations. FuzzingLabs published a reproduction on April 16. Exodus Intelligence published a full technical walkthrough on June 8. Exodus researcher Oliver Sieber located the bug in early 2025 and demonstrated a chained exploit that converts the use-after-free into local root and a container namespace escape.

Exploitation requires local access and unprivileged user namespaces, a Linux feature that allows ordinary accounts to act as root inside private sandboxes. nf_tables and unprivileged user namespaces are enabled by default on many desktop systems and on some server installations, so any distribution that shipped a vulnerable kernel with those features enabled may be exposed. The flaw does not provide a remote attack path on its own; it is a post-foothold escalation technique.

Distributions including Ubuntu, Debian, Red Hat, SUSE and Amazon Linux have issued advisories and fixes. Ubuntu lists fixes for 22.04, 24.04 and 25.10. Debian fixed Bookworm and Trixie and provided a 6.1 backport for Bullseye LTS. The exact fixed kernel package varies by distribution and release; administrators must check their vendor advisory to identify the correct update.

Vendors and security teams recommend applying vendor kernel updates and rebooting affected systems. Systems that permit untrusted users or workloads to create unprivileged user namespaces should be prioritized for patching or temporarily restricted until updates are applied.

CVE-2026-23111 appears amid several recent local privilege escalation disclosures, including Copy Fail, the Dirty Frag chain and its Fragnesia variant, DirtyDecrypt, and an older ptrace issue that can expose /etc/shadow and run commands as root. There are no public reports of exploitation in the wild tied to this nf_tables flaw.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE