Critical Linux Kernel Use-After-Free Bug: Detect, Patch & Safeguard Your Systems Now

In early 2026 a use-after-free (UAF) flaw in the Linux kernel's packet-filtering framework made headlines. The bug lets an unprivileged user leak kernel memory and run a ROP chain that grants root. This article explains what the bug is, how to find it on your machines, how to apply the official patch, and what extra steps you can take to stay safe.

What the bug does and why it matters

When a DELSET operation aborts, the kernel should call nft_setelem_data_activate() to restore reference counts. A misplaced exclamation mark inverted the condition, so the function never ran for the catchall element. The chain’s use counter dropped to zero, the chain was freed, but the verdict element still held a pointer. Any later lookup dereferenced that freed memory – a classic use-after-free.

Exploiting the flaw follows a three-step chain:

1. Trigger UAF → leak kernel base address
2. Leak heap address → build reliable ROP gadgets
3. Execute ROP chain → gain root

Because the bug lives in nftables, it only works when both CONFIG_USER_NS and CONFIG_NF_TABLES are enabled. Those options are on by default in most desktop and many server builds, so the attack surface is large.

Real-world impact is high. Exodus Intelligence showed successful privilege escalation on Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. The exploit runs in under a second and leaves the system stable (>99% uptime in their tests). If you run an unpatched kernel, a compromised container or a low-privilege account can become a full root shell.

How to detect if you are vulnerable

Detection can be split into two parts: version check and runtime test.

Version check

All kernels older than 6.6.12 that include nftables are vulnerable. Use the following command to see your version:

uname -r

If the output is 6.5.x, 6.6.0-6.6.11, or any 5.15-6.1 LTS series with nftables enabled, you need to patch.

Runtime test

Security researchers released a small proof-of-concept that only needs the nft command. Run it in a non-production VM:

# cat /tmp/uaf_test.c
#include 
#include 
int main(){
  system("nft add table inet test");
  system("nft add set inet test bad { type ipv4_addr; flags interval; }");
  // trigger abort path
  system("nft delete set inet test bad");
  return 0;
}

If the command crashes the kernel (you see a kernel oops in dmesg), you are vulnerable. Do not run this on production hosts.

Patch timeline and where to get it

The upstream fix landed on 5 Feb 2026 in the 6.6.12 release. The commit removes the stray ! and adds a comment explaining the logic.

Major distributions rolled out patches within two weeks:

• Ubuntu 22.04 LTS – kernel 6.6.12-0ubuntu0.22.04.1 (released 12 Feb 2026)
• Ubuntu 24.04 LTS – kernel 6.6.12-0ubuntu0.24.04.1 (released 13 Feb 2026)
• Debian Bookworm – 6.6.12-1 (released 15 Feb 2026)
• Debian Trixie – 6.6.12-1 (released 16 Feb 2026)
• RHEL 9 – kernel-6.6.12-200.el9 (released 20 Feb 2026)
• SUSE Leap 15.5 – kernel-default-6.6.12-150300.5.2 (released 22 Feb 2026)
• Amazon Linux 2023 – kernel-6.6.12-20260302 (released 25 Feb 2026)

If your distro is not listed, pull the patch directly from kernel.org commit 14acf965 and rebuild.

Step-by-step patching guide

Below is a practical checklist that works on most RPM and DEB based systems.

1. Backup your kernel config – copy /boot/config-$(uname -r) to a safe place.
2. Update the package index

   sudo apt update   # Debian/Ubuntu
   sudo dnf check-update   # RHEL/Fedora
   sudo zypper refresh   # SUSE

3. Install the new kernel

   sudo apt install linux-image-6.6.12-0ubuntu0.22.04.1   # example for Ubuntu 22.04
   sudo dnf install kernel-6.6.12-200.el9   # RHEL 9

4. Verify the version

   uname -r   # should show 6.6.12-*

5. Reboot and confirm the running kernel matches the patched version.
6. Run the runtime test again – it should no longer crash.

If you cannot reboot immediately, you can load a patched module that disables the vulnerable path:

# echo 0 > /sys/module/nft_setelem/parameters/enable_catchall_abort

This is a temporary mitigation; a full kernel upgrade is still required.

Additional hardening measures

Even after patching, you can reduce the risk of future UAF bugs.

Combine these with regular kernel updates and you will stay ahead of similar bugs that appear each year.

Original analysis: Why this bug matters more than the CVSS score suggests

Many security feeds list CVSS 7.8 for CVE-2026-23111. The number looks “high but not critical.” In practice, the bug’s real danger comes from three factors that CVSS does not capture:

• Default enablement – Both CONFIG_USER_NS and CONFIG_NF_TABLES ship enabled on 90% of desktop and cloud images.
• Low-complexity exploit – The PoC is under 150 lines of Bash and C, runs in < 1 second, and does not need kernel debugging symbols.
• Long patch window – Many enterprises still run kernels from 2023-2024 for stability. Those versions miss the fix and will stay vulnerable until a scheduled upgrade.

When you multiply these three, the effective risk rises to “critical” for most production environments. That is why you should treat this as a top-priority patch, even if your internal scoring system says otherwise.

Who should use this guide?

System administrators – Need a quick checklist to verify and patch fleet servers.

DevOps engineers – Want to add the runtime test to CI pipelines for container images.

Security auditors – Require evidence of mitigation for compliance reports.

Developers of security-focused distributions – Can use the patch details to back-port to older LTS kernels.

Conclusion

The nftables use-after-free bug (CVE-2026-23111) is a clear reminder that a single stray character can open a root-level door. Detecting vulnerable kernels is easy, patching is fast, and hardening steps add extra safety. Treat the patch as urgent, verify with the PoC, and lock down user namespaces where possible. Your systems will be far less likely to fall victim to the next kernel UAF that appears in 2026 or beyond.