Local Privilege Escalation in Linux nf_tables (CVE‑2026‑23231) Impacts Kernels 3.16‑6.19.3
What Happened – A use‑after‑free bug in the nf_tables subsystem (CVE‑2026‑23231) allows an unprivileged user to race kernel memory allocation, spray a crafted msg_msg object, and overwrite modprobe_path to gain root. The vulnerability affects Linux kernel versions 3.16 through 6.19.3 and is patched in later releases (6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4).
Why It Matters for TPRM –
- Third‑party SaaS or IaaS providers that run unpatched Linux kernels expose their customers to privilege‑escalation attacks.
- Compromise of a host can lead to lateral movement across multi‑tenant environments, jeopardizing data confidentiality and service integrity.
- Many managed service contracts lack explicit kernel‑patch compliance clauses, creating hidden supply‑chain risk.
Who Is Affected – Cloud‑hosting providers, managed service providers (MSPs/MSSPs), container‑orchestration platforms, and any organization that runs Linux kernels older than 6.19.4.
Recommended Actions –
- Verify that all Linux hosts (bare‑metal, VM, containers) run a kernel version that includes the fix.
- Add kernel‑patch compliance checks to vendor security questionnaires.
- Deploy runtime integrity monitoring (e.g., kernel module signing, SELinux/AppArmor) to detect unexpected
modprobe_pathchanges.
Technical Notes – The flaw resides in nf_tables_addchain() which publishes a new chain before hook registration. If hook registration fails, the chain is freed without RCU synchronization, creating a use‑after‑free. An attacker can trigger the failure via memory pressure, race a chain dump, and spray the freed slot with msg_msg objects to corrupt kernel memory and overwrite modprobe_path. CVSS 7.8 (High). Source: https://www.exploit-db.com/exploits/52549