Vulnerability Discovery and Impact
A use after free vulnerability in the Linux kernel’s nftables subsystem has been uncovered, allowing unprivileged local attackers to gain root privileges on widely used distributions such as Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. The flaw was identified in early 2025 and was patched upstream on February 5, 2026. Oliver Sieber, a security researcher at Exodus Intelligence, published a detailed technical report along with a working proof of concept that achieves more than 99 percent reliability on idle systems.
Root Cause and Exploit Mechanism
The bug resides in the nft_map_catchall_activate() function within the nftables packet filtering framework. An inverted conditional check, caused by a misplaced operator, incorrectly skips inactive catchall elements during an abort process instead of reactivating them. When a pipapo backed verdict map containing a catchall element referencing a chain is deleted, and a subsequent transaction in the same batch triggers an abort, the catchall element remains improperly inactive. This leaves the chain’s reference counter at zero while a valid reference still exists. An attacker can then delete the chain, leaving a dangling pointer in a base chain rule and triggering a use after free condition.
Exploitation Steps and KASLR Bypass
The exploit chains four transaction batches to manipulate nftables’ generational cursor. The first batch deletes the pipapo set, then forces an error to incorrectly decrement the chain reference counter. The second batch sends a benign transaction to toggle the generational cursor. The third batch cleanly deletes the pipapo set, driving the chain’s reference counter to zero. The fourth batch deletes the chain while the base chain still holds a live rule referencing it. To defeat KASLR, the exploit reclaims the freed slab with a seq_operations structure, leaked through an NFT_MSG_GETRULE request. Heap addresses are then exfiltrated by reclaiming freed objects with crafted nft_rule structures. Control flow hijacking is achieved by overwriting the deleted chain’s blob_gen_0 pointer with a fake chain structure.
Source: Cyber Security News
