securityaffairs.com web signal

Exodus Details CVE-2026-23111 Linux Root Exploit

cybersecurity linux-kernel privilege-escalation container-security public-exploit

Key insights

  • CVE-2026-23111 was patched February 5, 2026, yet FuzzingLabs had published a working root exploit on April 16, weeks before Exodus's June 8 walkthrough.
  • The exploit requires only local access and unprivileged user namespaces, which are enabled by default on most Linux distributions.
  • Exploit reliability exceeded 99% on idle systems and dropped to approximately 80% under heavy Apache benchmark load.

Why this matters

Ubuntu 22.04 and 24.04 LTS, distributions underpinning a large share of AI cloud infrastructure, are among the confirmed targets for CVE-2026-23111 -- any attacker with local shell access can reach root on an unpatched host with no special configuration required. The exploit's only prerequisite is unprivileged user namespaces, enabled by default on most distributions, meaning default-configured hosts are fully exposed without any operator misconfiguration. Red Hat, SUSE, and Amazon Linux are also tracking the vulnerability, placing this inside the mandatory patch-and-reboot window for teams running GPU clusters, inference endpoints, or training jobs on these distributions.

Summary

Exodus Intelligence published a full technical walkthrough June 8 for CVE-2026-23111, a use-after-free in the Linux kernel's nf_tables framework discovered by researcher Oliver Sieber in early 2025. The kernel patch landed February 5, 2026 -- but FuzzingLabs had already published a working root exploit on April 16. The bug is inverted logic in nft_map_catchall_activate(): aborted DELSET transactions skip restoring reference counts, draining chain->use to zero until the kernel frees memory still referenced by catchall elements. Sieber's exploit triggers this across four transaction batches to leak kernel base and heap addresses before hijacking control flow. Essentially: (Exodus Intelligence, FuzzingLabs) two independent teams each reached working exploits for the same Linux kernel flaw after the patch shipped. - Exploit needs only local access and unprivileged user namespaces, the default on most distros. - Reliability exceeded 99% on idle systems; drops to roughly 80% under heavy load (Apache benchmark testing). - Confirmed on Debian Bookworm, Trixie, Ubuntu 22.04, and 24.04 LTS; FuzzingLabs also reproduced it on RHEL 10. Ubuntu, Debian, Red Hat, SUSE, and Amazon Linux systems without the kernel update remain exposed.

Potential risks and opportunities

Risks

  • Organizations running Ubuntu 22.04 or 24.04 LTS production hosts that cannot immediately reboot for kernel updates -- including AI inference and training clusters -- remain fully exposed to local privilege escalation by any user or compromised process.
  • Red Hat, SUSE, and Amazon Linux customers face a confirmed vulnerability window while those distributions finalize patches; enterprises in regulated industries may face audit findings if CVE-2026-23111 remediation is reviewed before fixes are available and applied.
  • FuzzingLabs' planned Pwn2Own Berlin 2026 demonstration against RHEL 10 could publicly validate the exploit on Red Hat's latest enterprise release, accelerating attacker adoption before Red Hat's patch reaches customers.

Opportunities

  • Vendors offering live kernel patching for Ubuntu and Debian face near-term demand from operators who cannot take the mandatory reboot required to apply CVE-2026-23111 kernel updates on production systems.
  • Security teams advising SUSE and Amazon Linux customers can differentiate immediately by delivering CVE-2026-23111 readiness assessments while those distributions remain in the tracking phase with no confirmed patch.
  • Vendors with unprivileged user namespace restriction tooling gain a concrete, documented justification to approach organizations needing an interim mitigation path explicitly endorsed by the research community.

What we don't know yet

  • Red Hat, SUSE, and Amazon Linux are listed as tracking CVE-2026-23111 -- the article confirms no patch availability or timeline for these distributions, unlike Ubuntu and Debian.
  • FuzzingLabs targeted Pwn2Own Berlin 2026 with its RHEL 10 reproduction -- the article gives no outcome, no competition date, and no indication whether the demonstration has already occurred.
  • The article recommends restricting unprivileged user namespaces as an interim mitigation but does not address whether doing so breaks containerized or sandboxed workloads running on affected distributions.

Originally reported by securityaffairs.com

Read the original article →

Original headline: Exodus Intelligence Publishes Full Exploit for CVE-2026-23111 — Linux nf_tables Use-After-Free Grants Local Root With Greater Than 99% Reliability, Container Breakout Confirmed