Public exploit lands for one-character Linux kernel root flaw
A working exploit is now public for a Linux kernel bug that lets an ordinary local user become root and break out of containers. The flaw (CVE-2026-23111) lives in nf_tables, the kernel's packet-filtering code, and came down to a single inverted character that the upstream fix removed in one line back in February. It is reachable on common setups that have nf_tables plus unprivileged user namespaces enabled, both default on most desktops and many servers. Ubuntu rates it 7.8. There is no remote path on its own, but Exodus Intelligence published a full exploit walkthrough on June 8, making weaponization easy.
- Check
- Check the running kernel version on Linux hosts against your distribution's February 2026 or later patch, and review whether unprivileged user namespaces and nf_tables are enabled.
- Affected
- Linux systems on a kernel built before the February 5, 2026 nf_tables fix with both nf_tables and unprivileged user namespaces enabled (CVE-2026-23111); multi-tenant and container hosts most at risk.
- Fix
- Install the patched kernel package from your distribution and reboot. As a mitigation, restrict unprivileged user namespaces, for example setting kernel.unprivileged_userns_clone to 0 where supported.