DEBIAN-CVE-2026-23111

In the Linux kernel, the following vulnerability has been resolved:  netfilter: nftables: fix inverted genmask check in nftmapcatchallactivate()  nftmapcatchallactivate() has an inverted element activity check compared to its non-catchall counterpart nftmapelemactivate() and compared to what is logically required.  nftmapcatchallactivate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones.  Compare the non-catchall activate callback, which is correct:    nftmapelemactivate():     if (nftsetelemactive(ext, iter->genmask))         return 0;   / skip active, process inactive /  With the buggy catchall version:    nftmapcatchallactivate():     if (!nftsetelemactive(ext, genmask))         continue;   / skip inactive, process active /  The consequence is that when a DELSET operation is aborted, nftsetelemdataactivate() is never called for the catchall element. For NFTGOTO verdict elements, this means nftdatahold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free.  This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIGUSERNS and CONFIGNFTABLES.  Fix by removing the negation so the check matches nftmapelem_activate(): skip active elements, process inactive ones.