CVE-2026-23111: Linux nf_tables LPE with Public Exploit — Patch Now

A single inverted character in the Linux kernel's nf_tables subsystem lets an unprivileged local user gain root and escape container isolation. The patch has been available since February — but a full working exploit dropped on June 8, making this an active remediation deadline for anyone still running an unpatched kernel.

Affected versions

The vulnerability lives in nft_map_catchall_activate() in the kernel's netfilter nf_tables code. It affects systems where both CONFIG_NF_TABLES and CONFIG_USER_NS are compiled in — which covers most standard server builds.

Affected upstream kernel versions (per NVD):

• 4.x: before 4.19.316
• 5.x: before 5.10.188
• 6.x: before 6.6.124

The fix shipped February 5, 2026. If your kernel predates that and falls in any of the ranges above, you are vulnerable.

Confirmed affected distributions (unpatched builds):

• Ubuntu 22.04 LTS and 24.04 LTS
• Debian Bookworm and Trixie
• RHEL 10

Are you exposed?

First, check your running kernel version:

uname -r

Then check whether unprivileged user namespaces are enabled:

cat /proc/sys/kernel/unprivileged_userns_clone   # Debian/Ubuntu
# or
sysctl kernel.unprivileged_userns_clone

If the value is 1, unprivileged users can trigger the vulnerable code path. A value of 0 significantly limits exploitability but does not patch the underlying bug.

How to patch

Update your kernel through your distribution's normal package manager and reboot:

# Ubuntu / Debian
sudo apt update && sudo apt dist-upgrade
sudo reboot
 
# RHEL / Rocky / AlmaLinux
sudo dnf update kernel && sudo reboot

After rebooting, verify the new kernel is running with uname -r and confirm you're on 4.19.316+, 5.10.188+, or 6.6.124+ depending on your branch.

If you cannot reboot immediately, a partial mitigation is to disable unprivileged user namespaces:

sudo sysctl -w kernel.unprivileged_userns_clone=0

Persist it across reboots by adding kernel.unprivileged_userns_clone=0 to /etc/sysctl.d/99-userns.conf. Note that this may break sandboxed applications (browsers, Flatpak, some container runtimes) that rely on user namespaces.

How urgent is this?

CVSS score: 7.8 (High) — local privilege escalation to root with container escape capability.

The bug itself is four months old. What changed on June 8 is that Exodus Intelligence published a complete technical walkthrough with working exploit code. FuzzingLabs had already independently reproduced it in April. The combination of two public exploit implementations and a detailed write-up means exploitation is no longer theoretical or researcher-only.

Multi-tenant environments, CI runners, and any host where users you don't fully trust can log in should treat this as urgent. Single-user workstations are lower risk but still worth patching on the next maintenance window.

CVE-2026-23111 / CVSS 7.8