CVE-2026-31424

MEDIUM EPSS 1.9%
Published Apr 13, 20262mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 13, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP Weiming Shi says: xt_match and xt_target structs registered with NFPROTO_UNSPEC can be loaded by any protocol family through nft_compat. When such a match/target sets .hooks to restrict which hooks it may run on, the bitmask uses NF_INET_* constants. This is only correct for families whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge all share the same five hooks (PRE_ROUTING ... POST_ROUTING). ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different semantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks validation silently passes for the wrong reasons, allowing matches to run on ARP chains where the hook assumptions (e.g. state->in being set on input hooks) do not hold. This leads to NULL pointer dereferences; xt_devgroup is one concrete example: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227] RIP: 0010:devgroup_mt+0xff/0x350 Call Trace: <TASK> nft_match_eval (net/netfilter/nft_compat.c:407) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61) nf_hook_slow (net/netfilter/core.c:623) arp_xmit (net/ipv4/arp.c:666) </TASK> Kernel panic - not syncing: Fatal exception in interrupt Fix it by restricting arptables to NFPROTO_ARP extensions only. Note that arptables-legacy only supports: - arpt_CLASSIFY - arpt_mangle - arpt_MARK that provide explicit NFPROTO_ARP match/target declarations.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
1.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥2.6.39  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.168
linuxlinux_kernel*≥6.2  –  <6.6.134
linuxlinux_kernel*≥6.7  –  <6.12.81
linuxlinux_kernel*≥6.13  –  <6.18.22
linuxlinux_kernel*≥6.19  –  <6.19.12
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/1cd6313c8644bfebbd813a05da9daa21b09dd68c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3d5d488f11776738deab9da336038add95d342d1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/80e3c75f71c3ea1e62fcb032382de13e00a68f8b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d9a0af9e43416aa50c0595e15fa01365a1c72c49
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dc3e27dd7d76e21106b8f9bbdc31f5da74a89014
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e7e1b6bcb389c8708003d40613a59ff2496f6b1f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f00ac65c90ea475719e08d629e2e26c8b4e6999b
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1cd6313c8644bfebbd813a05da9daa21b09dd68c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3d5d488f11776738deab9da336038add95d342d1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/80e3c75f71c3ea1e62fcb032382de13e00a68f8b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d9a0af9e43416aa50c0595e15fa01365a1c72c49
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dc3e27dd7d76e21106b8f9bbdc31f5da74a89014
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e7e1b6bcb389c8708003d40613a59ff2496f6b1f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f00ac65c90ea475719e08d629e2e26c8b4e6999b
    Patch