When a verdict map is deleted from memory, catchall elements are deactivated and a chain’s reference counter is decremented. When errors occur the deletion can be reversed and the counter incremented. CVE-2026-53111 allows for that process to be altered. As a result, the exploit can decrement the variable an arbitrary number of times and then delete and free the chain when some objects still point to it.
“In this blog post, we have seen how one incorrect exclamation mark introduced a use-after-free vulnerability which can be exploited by an unprivileged user on Debian and Ubuntu to escalate privileges to root,” researchers from security firm Exodus Intelligence wrote Monday. “Although the exploit triggers the use-after-free vulnerability multiple times to leak the kernel base address, leak heap addresses, and hijack the control flow, the stability tests resulted in a stability of >99% on an idle system.”
The vulnerability was fixed in the kernel in February and subsequently back ported to major Linux distributions. Security firm FuzzingLabs demonstrated a proof of concept exploit in April. Exodus Intelligence, which discovered the bug, included its own PoC exploit in Monday’s post. It worked on Debian and Ubuntu.
CVE-2026-53111 is one of at least three potent elevation-of-privilege vulnerabilities to hit Linux in recent weeks. The vulnerabilities are serious, because, when chained to a separate exploit, they can be used to evade security defenses baked into the OS.
