Linux kernel flaw allows root escalation via single character error
A high-severity use-after-free bug in the nf_tables subsystem, caused by a single errant exclamation mark, enables unprivileged users on Debian and Ubuntu to gain root access.
Researchers have identified a high-severity vulnerability in the Linux kernel, tracked as CVE-2026-23111, which allows unprivileged users to escalate privileges to root. The flaw resides in the nf_tables subsystem, which manages firewall rules and packet filtering, and was triggered by a single errant exclamation mark in the code. This typographical error introduced a use-after-free error, a class of vulnerability that corrupts memory by placing malicious code at addresses that have not been properly freed.
The vulnerability was patched in the Linux kernel in February, but security firms Exodus Intelligence and FuzzingLabs have since demonstrated proof-of-concept exploits. Exodus Intelligence published a detailed analysis on Monday, outlining how the bug disrupts the deletion of verdicts within the nf_tables framework. The exploit targets catchall elements and reference counters, allowing an attacker to decrement variables arbitrarily and free chains while objects still point to them.
According to the researchers from Exodus Intelligence, the exploit achieves a stability rate of greater than 99 per cent on an idle system. This high stability is notable given that the attack requires triggering the use-after-free vulnerability multiple times to leak kernel base addresses, heap addresses, and hijack control flow. The demonstration confirmed that the flaw affects Debian and Ubuntu systems specifically.
The vulnerability is significant because it can be chained with other exploits to evade security defences baked into the operating system. It is identified as one of at least three potent elevation-of-privilege vulnerabilities affecting Linux in recent weeks. The source material contains conflicting identifiers, referencing both CVE-2026-23111 and CVE-2026-53111, though the core event remains the same high-severity root escalation risk.
FuzzingLabs previously demonstrated a proof-of-concept exploit for this issue in April. The persistence of these exploits post-patch highlights the importance of timely updates for systems relying on the nf_tables subsystem. The incident underscores how minor coding errors can have severe security implications for infrastructure and institutional deployments.
