← All articles

Public exploit lands for one-character Linux kernel root flaw

A working exploit is now public for a Linux kernel bug that lets an ordinary local user become root and break out of containers. The flaw (CVE-2026-23111) lives in nf_tables, the kernel's packet-filtering code, and came down to a single inverted character that the upstream fix removed in one line back in February. It is reachable on common setups that have nf_tables plus unprivileged user namespaces enabled, both default on most desktops and many servers. Ubuntu rates it 7.8. There is no remote path on its own, but Exodus Intelligence published a full exploit walkthrough on June 8, making weaponization easy.

Check
Check the running kernel version on Linux hosts against your distribution's February 2026 or later patch, and review whether unprivileged user namespaces and nf_tables are enabled.
Affected
Linux systems on a kernel built before the February 5, 2026 nf_tables fix with both nf_tables and unprivileged user namespaces enabled (CVE-2026-23111); multi-tenant and container hosts most at risk.
Fix
Install the patched kernel package from your distribution and reboot. As a mitigation, restrict unprivileged user namespaces, for example setting kernel.unprivileged_userns_clone to 0 where supported.