CVE-2026-31424

Source
https://cve.org/CVERecord?id=CVE-2026-31424
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31424.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31424
Downstream
Related
Published
2026-04-13T13:40:27.957Z
Modified
2026-06-18T03:56:07.933247623Z
Summary
netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: xtables: restrict xtcheckmatch/xtchecktarget extensions for NFPROTOARP

Weiming Shi says:

xtmatch and xttarget structs registered with NFPROTOUNSPEC can be loaded by any protocol family through nftcompat. When such a match/target sets .hooks to restrict which hooks it may run on, the bitmask uses NFINET* constants. This is only correct for families whose hook layout matches NFINET*: IPv4, IPv6, INET, and bridge all share the same five hooks (PREROUTING ... POSTROUTING).

ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different semantics. Because NFARPOUT == 1 == NFINETLOCALIN, the .hooks validation silently passes for the wrong reasons, allowing matches to run on ARP chains where the hook assumptions (e.g. state->in being set on input hooks) do not hold. This leads to NULL pointer dereferences; xtdevgroup is one concrete example:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227] RIP: 0010:devgroupmt+0xff/0x350 Call Trace: <TASK> nftmatcheval (net/netfilter/nftcompat.c:407) nftdochain (net/netfilter/nftablescore.c:285) nftdochainarp (net/netfilter/nftchainfilter.c:61) nfhookslow (net/netfilter/core.c:623) arpxmit (net/ipv4/arp.c:666) </TASK> Kernel panic - not syncing: Fatal exception in interrupt

Fix it by restricting arptables to NFPROTO_ARP extensions only. Note that arptables-legacy only supports:

  • arpt_CLASSIFY
  • arpt_mangle
  • arpt_MARK

that provide explicit NFPROTO_ARP match/target declarations.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31424.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9291747f118d6404e509747b85ff5f6dfec368d2
Fixed
80e3c75f71c3ea1e62fcb032382de13e00a68f8b
Fixed
d9a0af9e43416aa50c0595e15fa01365a1c72c49
Fixed
1cd6313c8644bfebbd813a05da9daa21b09dd68c
Fixed
f00ac65c90ea475719e08d629e2e26c8b4e6999b
Fixed
e7e1b6bcb389c8708003d40613a59ff2496f6b1f
Fixed
dc3e27dd7d76e21106b8f9bbdc31f5da74a89014
Fixed
3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a
Fixed
3d5d488f11776738deab9da336038add95d342d1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31424.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.39
Fixed
5.10.253
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.203
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.168
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.134
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.81
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.22
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.12

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31424.json"