Use After Free Affecting kernel-uek-doc package, versions <0:5.15.0-318.199.3.2.el8uek
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-ORACLE8-KERNELUEKDOC-15569574
- published15 Mar 2026
- disclosed13 Feb 2026
Introduced: 13 Feb 2026
CVE-2026-23111 (opens in a new tab)How to fix?
Upgrade Oracle:8 kernel-uek-doc to version 0:5.15.0-318.199.3.2.el8uek or higher.
This issue was patched in ELSA-2026-50145.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-uek-doc package and not the kernel-uek-doc package as distributed by Oracle.
See How to fix? for Oracle:8 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required.
nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones.
Compare the non-catchall activate callback, which is correct:
nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */
With the buggy catchall version:
nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */
The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free.
This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES.
Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.
References
- https://linux.oracle.com/cve/CVE-2026-23111.html
- https://linux.oracle.com/errata/ELSA-2026-50145.html
- https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd
- https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d
- https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081
- https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5
- https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f
- https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8