CVE-2026-23111: Linux Kernel nf_tables Use-After-Free Enables Unprivileged Root and Container Escape — Full Exploit Public via Exodus Intelligence

A working exploit for CVE-2026-23111, a use-after-free in the Linux kernel's nf_tables packet-filtering subsystem, was published by Exodus Intelligence on June 8, enabling any unprivileged local user to escalate to root and break out of containers on unpatched systems. The upstream patch landed February 5 with a one-line fix removing a single inverted conditional character; FuzzingLabs published an independent reproduction in April targeting RHEL 10, and Exodus published a full technical teardown June 8 — meaning working exploit code has been publicly available for approximately four months. The reachable attack surface is broad: nf_tables combined with unprivileged user namespaces ships by default on Ubuntu, Debian, and many server distributions, making this a high-priority patch-and-reboot event for any Linux fleet running containerized workloads or multi-tenant cloud infrastructure. No in-the-wild exploitation has been confirmed as of June 9.

No in-the-wild exploitation has been confirmed as of June 9.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.