Single Errant Character Triggers Use-After-Free in Linux Netfilter Verdict Maps

A single incorrect exclamation mark in Linux kernel netfilter code created a use-after-free condition allowing unprivileged users to decrement reference counters arbitrarily, free chains while objects still referenced them, and escalate to root on Debian and Ubuntu systems. CVE-2026-53111 was introduced during error-handling reversal of verdict map deletion and fixed in February kernel commits. Exodus Intelligence researchers documented the flaw in a Monday post that included a >99% stable proof-of-concept exploit achieving kernel base and heap leaks plus control-flow hijacking. The vulnerability joins at least two other recent Linux elevation-of-privilege issues that can be chained to bypass OS defenses. FuzzingLabs released a separate April proof-of-concept. Primary source reporting from Ars Technica and the Exodus Intelligence disclosure both limit scope to the single-character origin and patch availability without examining how netfilter reference counting patterns recur across multiple subsystems. Kernel git history shows similar counter-decrement errors in nftables and xtables components between 2023 and 2025. No coverage referenced the February commit hashes or cross-checked against syzkaller reports that previously flagged analogous use-after-free surfaces in the same code paths.