www.it-connect.fr
Linux Kernel Flaw Lets Attackers Gain Root with a Single Character
A simple syntax error, reduced to a single character in the Linux kernel code, is at the root of a security flaw: CVE-2026-23111. By exploiting it, a local attacker can elevate privileges to root on a Linux machine. Here’s what you need to know about this vulnerability.
A single character at the origin of the security flaw
It’s a small detail, but it matters: one misplaced character is all it takes to introduce a vulnerability into the Linux kernel. This flaw is located in the nftables network filtering module of the Linux kernel (nf_tables ). It is a use-after-free vulnerability, which stems from an inverted check caused by what could be described as a stray character.
Associated with the CVE-2026-23111 identifier and a CVSS score of 7.8 out of 10, it allows a local attacker to elevate privileges to root. In other words, if an attacker already has user-level access to a machine (for example through another vulnerability), they can become root by exploiting this issue.
In fact, this security flaw was discovered in 2025 by Oliver Sieber of Exodus Intelligence. Using this vulnerability, he was able to design an exploit that triggers the famous use-after-free, then bypass the memory protections built into the Linux kernel. In the end, this makes it possible to escape the container namespace with root privileges.
Present by default on most Linux distributions, the unprivileged user namespaces feature allows an ordinary account to act as root inside a private sandbox, giving it access to kernel code that is normally unreachable.
Here is the timeline associated with this vulnerability, which helps explain why it is only making headlines now.
- February 5, 2026: the upstream fix is published in the Linux kernel (see this page).
- April 16, 2026: FuzzingLabs publishes its own independent reproduction of the flaw tested on RHEL 10, developed ahead of the Pwn2Own Berlin 2026 contest using a different method.
- June 8, 2026: Exodus Intelligence publishes its detailed technical analysis.
As a matter of fact, the fix integrated into the Linux kernel clearly shows that the security patch comes down to a single line, simply removing the ! character to reverse the test performed by the if statement.
How can you protect yourself against CVE-2026-23111?
The researcher demonstrated the effectiveness of his method on several systems: Debian 12 Bookworm, Debian 13 Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. All were vulnerable, but all are also covered by a security patch for this vulnerability.
Indeed, fixes are available for Ubuntu (versions 22.04, 24.04, and 25.10) as well as for Debian (Bookworm and Trixie, with a backport to version 6.1 for Bullseye LTS). The exact version where the patch was integrated may vary from one distribution and release to another, so check the security advisories for the one you are using.
For example, on Debian 13, this vulnerability was patched in Linux kernel versions 6.12.86-1 and 6.12.90-2 (see this page).
Although the situation is less urgent with this security flaw, it is part of a bad streak for the Linux kernel. Over the past few weeks, several vulnerabilities enabling local privilege escalation have been disclosed, including DirtyDecrypt and Fragnesia.
