VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Apr 13, 2026· Updated May 20, 2026

CVE-2026-31424

CVE-2026-31424

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP

Weiming Shi says:

xt_match and xt_target structs registered with NFPROTO_UNSPEC can be loaded by any protocol family through nft_compat. When such a match/target sets .hooks to restrict which hooks it may run on, the bitmask uses NF_INET_* constants. This is only correct for families whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge all share the same five hooks (PRE_ROUTING ... POST_ROUTING).

ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different semantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks validation silently passes for the wrong reasons, allowing matches to run on ARP chains where the hook assumptions (e.g. state->in being set on input hooks) do not hold. This leads to NULL pointer dereferences; xt_devgroup is one concrete example:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227] RIP: 0010:devgroup_mt+0xff/0x350 Call Trace:

nft_match_eval (net/netfilter/nft_compat.c:407) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61) nf_hook_slow (net/netfilter/core.c:623) arp_xmit (net/ipv4/arp.c:666)

Kernel panic - not syncing: Fatal exception in interrupt

Fix it by restricting arptables to NFPROTO_ARP extensions only. Note that arptables-legacy only supports:

  • arpt_CLASSIFY
  • arpt_mangle
  • arpt_MARK

that provide explicit NFPROTO_ARP match/target declarations.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel netfilter x_tables allows NFPROTO_UNSPEC extensions on ARP hooks, causing NULL pointer dereference and kernel panic.

Vulnerability

The Linux kernel's netfilter x_tables subsystem contains a logic flaw in how match and target extensions are validated for the ARP protocol family (NFPROTO_ARP). Extensions registered with NFPROTO_UNSPEC can be loaded by any protocol via nft_compat, but when such extensions set a .hooks bitmask, they use NF_INET_* constants that assume the hook layout of IPv4/IPv6/INET/bridge families. However, ARP uses only three hooks with different numerical values, causing the hook validation to silently pass incorrectly.

Exploitation

An attacker with the ability to configure netfilter rules (e.g., via nftables) can load a match or target designed for INET hooks into an ARP chain. For example, the devgroup match dereferences state->in on input hooks, but on ARP the hook numbering mismatch means state->in may be NULL. This can be triggered during ARP packet processing by crafting rules that use such extensions on ARP chains.

Impact

This vulnerability results in a NULL pointer dereference and kernel panic, leading to a denial of service (DoS) on the affected system. The crash is reproducible as a general protection fault, as seen in the reported oops trace.

Mitigation

The fix restricts arptables to only use extensions explicitly declared for NFPROTO_ARP. The Linux kernel has been patched to address this issue. Users should update to the latest kernel version.

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

1