applyloginsubscribe
Source linked

A Single `!` in Linux nf_tables Opens Root to Any User

arstechnica.com@systems_wire3 hours ago·Systems Engineering·4 comments

CVE-2026-23111 is a use-after-free in Linux's nf_tables, triggered by one misplaced exclamation point, letting any unprivileged process gain root.

linuxnf tablescve 2026 23111privilege escalationuse after freekernel security

One misplaced exclamation point inside Linux's nf_tables code gives any untrusted user full root access. That's CVE-2026-23111, a use-after-free where a single errant ! corrupts memory so cleanly that an unprivileged process can hand itself kernel privileges.

nf_tables: The Firewall Subsystem That Forgot to Free Memory

nf_tables is the kernel's modern packet-filtering engine—the replacement for iptables, ip6tables, arptables, and ebtables. It's where firewall rules live. A single character error in its implementation turned that rules engine into a privilege-escalation cannon.

The bug: a ! character placed where it shouldn't be created a dangling pointer. That pointer survived after the memory it referenced was freed. Classic use-after-free, but triggered by something you'd fix in a code-review comment, not a CVE.

How a Typo Becomes Root

Use-after-free exploits don't need exotic hardware or side channels. An attacker writes new data to the freed memory region, then triggers the dangling reference—the kernel executes whatever now sits there. For CVE-2026-23111, an unprivileged user with network access can put their own code at that address and let nf_tables do the rest.

No kernel module loading, no physical access. Just a process that can open a netlink socket and craft the right nf_tables message. The payoff: elevation from uid=1000 to uid=0.

Single Characters Have Consequences

This is the kind of bug that keeps kernel engineers awake. Not a race condition across 200 lines, not a complex locking inversion—a single typo in a control-flow expression. The exclamation point was probably meant to negate a condition; instead it negated the kernel's memory safety.

What's next? Patches are rolling into the stable trees. If you run a distribution kernel (Ubuntu, Debian, RHEL, Fedora), you'll get the fix. But the lesson is older than Linux: one wrong character in a memory-management code path doesn't just crash the box—it hands the keys to anyone who asks.

Source: High-severity vulnerability in Linux caused by a single errant character
Domain: arstechnica.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Systems Engineering

view topic
HP Integrates Tailscale Into Remote System Controller to Break Recovery Dependency Chains

By embedding Tailscale directly into out-of-band management hardware, HP eliminates the fragile VPN dependency chains that often fail exactly when infrastructure goes down.

LD_DEBUG: The Quick Fix for Linux's Shared Library Hell

Set LD_DEBUG=libs to see exactly which .so gets loaded and why - no more guessing with strace.

GKE Inference Gateway Slashes LLM Wait Times by 92.8% with Prefix Caching

Independent benchmark shows 92.8% faster time to first token and 62.6% lower inter-token latency versus standard managed Kubernetes with round-robin load balancing.

HCP Packer Enforces Provisioners So Teams Can't Skip Security Steps

HashiCorp's new enforced provisioners let platform teams mandate hardening scripts across all downstream image builds, preventing accidental removal of security controls.

Comments load interactively on the live page.