APPLIED: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23111

Stefan Bader stefan.bader at canonical.com
Wed Mar 4 10:43:44 UTC 2026 

On 24/02/2026 02:07, Tim Whisonant wrote:
> SRU Justification:
> 
> [Impact]
> 
> netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
> 
> nft_map_catchall_activate() has an inverted element activity check
> compared to its non-catchall counterpart nft_mapelem_activate() and
> compared to what is logically required.
> 
> nft_map_catchall_activate() is called from the abort path to re-activate
> catchall map elements that were deactivated during a failed transaction.
> It should skip elements that are already active (they don't need
> re-activation) and process elements that are inactive (they need to be
> restored). Instead, the current code does the opposite: it skips inactive
> elements and processes active ones.
> 
> Compare the non-catchall activate callback, which is correct:
> 
>    nft_mapelem_activate():
>      if (nft_set_elem_active(ext, iter->genmask))
>          return 0;   /* skip active, process inactive */
> 
> With the buggy catchall version:
> 
>    nft_map_catchall_activate():
>      if (!nft_set_elem_active(ext, genmask))
>          continue;   /* skip inactive, process active */
> 
> The consequence is that when a DELSET operation is aborted,
> nft_setelem_data_activate() is never called for the catchall element.
> For NFT_GOTO verdict elements, this means nft_data_hold() is never
> called to restore the chain->use reference count. Each abort cycle
> permanently decrements chain->use. Once chain->use reaches zero,
> DELCHAIN succeeds and frees the chain while catchall verdict elements
> still reference it, resulting in a use-after-free.
> 
> This is exploitable for local privilege escalation from an unprivileged
> user via user namespaces + nftables on distributions that enable
> CONFIG_USER_NS and CONFIG_NF_TABLES.
> 
> Fix by removing the negation so the check matches nft_mapelem_activate():
> skip active elements, process inactive ones.
> 
> [Fix]
> 
> Questing: applied Jammy patch
> Noble:    applied Jammy patch
> Jammy:    cherry picked from upstream
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
> 
> [Test Plan]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> The fix corrects a logic error in the core nftables API,
> specifically in the abort path for failed transactions.
> Errors might appear as failures to reinstate these catch-
> all map elements as active.
> 
> Andrew Fasano (1):
>    netfilter: nf_tables: fix inverted genmask check in
>      nft_map_catchall_activate()
> 
>   net/netfilter/nf_tables_api.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 


Applied to questing,noble,jammy:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260304/818fd40e/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260304/818fd40e/attachment-0001.sig>

More information about the kernel-team mailing list