CVE-2026-23111

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftables: fix inverted genmask check in nftmapcatchallactivate()

nftmapcatchallactivate() has an inverted element activity check compared to its non-catchall counterpart nftmapelem_activate() and compared to what is logically required.

nftmapcatchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones.

Compare the non-catchall activate callback, which is correct:

nftmapelemactivate(): if (nftsetelem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */

With the buggy catchall version:

nftmapcatchallactivate(): if (!nftsetelemactive(ext, genmask)) continue; /* skip inactive, process active */

The consequence is that when a DELSET operation is aborted, nftsetelemdataactivate() is never called for the catchall element. For NFTGOTO verdict elements, this means nftdatahold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free.

This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIGUSERNS and CONFIGNFTABLES.

Fix by removing the negation so the check matches nftmapelemactivate(): skip active elements, process inactive ones.