{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31424", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.088Z", "datePublished": "2026-04-13T13:40:27.957Z", "dateUpdated": "2026-05-11T22:08:26.363Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:08:26.363Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP\n\nWeiming Shi says:\n\nxt_match and xt_target structs registered with NFPROTO_UNSPEC can be\nloaded by any protocol family through nft_compat. When such a\nmatch/target sets .hooks to restrict which hooks it may run on, the\nbitmask uses NF_INET_* constants. This is only correct for families\nwhose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge\nall share the same five hooks (PRE_ROUTING ... POST_ROUTING).\n\nARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different\nsemantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks\nvalidation silently passes for the wrong reasons, allowing matches to\nrun on ARP chains where the hook assumptions (e.g. state->in being\nset on input hooks) do not hold. This leads to NULL pointer\ndereferences; xt_devgroup is one concrete example:\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]\n RIP: 0010:devgroup_mt+0xff/0x350\n Call Trace:\n <TASK>\n nft_match_eval (net/netfilter/nft_compat.c:407)\n nft_do_chain (net/netfilter/nf_tables_core.c:285)\n nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)\n nf_hook_slow (net/netfilter/core.c:623)\n arp_xmit (net/ipv4/arp.c:666)\n </TASK>\n Kernel panic - not syncing: Fatal exception in interrupt\n\nFix it by restricting arptables to NFPROTO_ARP extensions only.\nNote that arptables-legacy only supports:\n\n- arpt_CLASSIFY\n- arpt_mangle\n- arpt_MARK\n\nthat provide explicit NFPROTO_ARP match/target declarations."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/x_tables.c"], "versions": [{"version": "9291747f118d6404e509747b85ff5f6dfec368d2", "lessThan": "80e3c75f71c3ea1e62fcb032382de13e00a68f8b", "status": "affected", "versionType": "git"}, {"version": "9291747f118d6404e509747b85ff5f6dfec368d2", "lessThan": "d9a0af9e43416aa50c0595e15fa01365a1c72c49", "status": "affected", "versionType": "git"}, {"version": "9291747f118d6404e509747b85ff5f6dfec368d2", "lessThan": "1cd6313c8644bfebbd813a05da9daa21b09dd68c", "status": "affected", "versionType": "git"}, {"version": "9291747f118d6404e509747b85ff5f6dfec368d2", "lessThan": "f00ac65c90ea475719e08d629e2e26c8b4e6999b", "status": "affected", "versionType": "git"}, {"version": "9291747f118d6404e509747b85ff5f6dfec368d2", "lessThan": "e7e1b6bcb389c8708003d40613a59ff2496f6b1f", "status": "affected", "versionType": "git"}, {"version": "9291747f118d6404e509747b85ff5f6dfec368d2", "lessThan": "dc3e27dd7d76e21106b8f9bbdc31f5da74a89014", "status": "affected", "versionType": "git"}, {"version": "9291747f118d6404e509747b85ff5f6dfec368d2", "lessThan": "3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a", "status": "affected", "versionType": "git"}, {"version": "9291747f118d6404e509747b85ff5f6dfec368d2", "lessThan": "3d5d488f11776738deab9da336038add95d342d1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/x_tables.c"], "versions": [{"version": "2.6.39", "status": "affected"}, {"version": "0", "lessThan": "2.6.39", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.134", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.81", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.22", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.12", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "6.6.134"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "6.12.81"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "6.18.22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "6.19.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/80e3c75f71c3ea1e62fcb032382de13e00a68f8b"}, {"url": "https://git.kernel.org/stable/c/d9a0af9e43416aa50c0595e15fa01365a1c72c49"}, {"url": "https://git.kernel.org/stable/c/1cd6313c8644bfebbd813a05da9daa21b09dd68c"}, {"url": "https://git.kernel.org/stable/c/f00ac65c90ea475719e08d629e2e26c8b4e6999b"}, {"url": "https://git.kernel.org/stable/c/e7e1b6bcb389c8708003d40613a59ff2496f6b1f"}, {"url": "https://git.kernel.org/stable/c/dc3e27dd7d76e21106b8f9bbdc31f5da74a89014"}, {"url": "https://git.kernel.org/stable/c/3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a"}, {"url": "https://git.kernel.org/stable/c/3d5d488f11776738deab9da336038add95d342d1"}], "title": "netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP\n\nWeiming Shi says:\n\nxt_match and xt_target structs registered with NFPROTO_UNSPEC can be\nloaded by any protocol family through nft_compat. When such a\nmatch/target sets .hooks to restrict which hooks it may run on, the\nbitmask uses NF_INET_* constants. This is only correct for families\nwhose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge\nall share the same five hooks (PRE_ROUTING ... POST_ROUTING).\n\nARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different\nsemantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks\nvalidation silently passes for the wrong reasons, allowing matches to\nrun on ARP chains where the hook assumptions (e.g. state->in being\nset on input hooks) do not hold. This leads to NULL pointer\ndereferences; xt_devgroup is one concrete example:\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]\n RIP: 0010:devgroup_mt+0xff/0x350\n Call Trace:\n <TASK>\n nft_match_eval (net/netfilter/nft_compat.c:407)\n nft_do_chain (net/netfilter/nf_tables_core.c:285)\n nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)\n nf_hook_slow (net/netfilter/core.c:623)\n arp_xmit (net/ipv4/arp.c:666)\n </TASK>\n Kernel panic - not syncing: Fatal exception in interrupt\n\nFix it by restricting arptables to NFPROTO_ARP extensions only.\nNote that arptables-legacy only supports:\n\n- arpt_CLASSIFY\n- arpt_mangle\n- arpt_MARK\n\nthat provide explicit NFPROTO_ARP match/target declarations."}], "id": "CVE-2026-31424", "lastModified": "2026-04-18T09:16:32.453", "metrics": {}, "published": "2026-04-13T14:16:12.240", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1cd6313c8644bfebbd813a05da9daa21b09dd68c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3d5d488f11776738deab9da336038add95d342d1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/80e3c75f71c3ea1e62fcb032382de13e00a68f8b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d9a0af9e43416aa50c0595e15fa01365a1c72c49"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dc3e27dd7d76e21106b8f9bbdc31f5da74a89014"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e7e1b6bcb389c8708003d40613a59ff2496f6b1f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f00ac65c90ea475719e08d629e2e26c8b4e6999b"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP", "id": "2457826", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457826"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1287", "details": ["A flaw was found in the Linux kernel's netfilter subsystem, specifically within the x_tables and arptables components. This vulnerability arises when xt_match and xt_target extensions, registered for unspecified protocol families, are incorrectly processed by the Address Resolution Protocol (ARP) subsystem. An attacker could exploit this by crafting network packets that trigger a mismatch in hook validation, leading to a null pointer dereference and ultimately a kernel panic, resulting in a Denial of Service (DoS) for the affected system."], "name": "CVE-2026-31424", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31424\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31424\nhttps://lore.kernel.org/linux-cve-announce/2026041356-CVE-2026-31424-704f@gregkh/T"], "statement": "Incorrect extension registration for ARP chains is a correctness bug in the netfilter compatibility path. Exploitation for a panic requires a privileged user to install matching nftables/arptables rules that pull in the affected `xt_*` pieces on ARP traffic. The fix limits arptables to extensions explicitly declared for `NFPROTO_ARP`.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9291747f118d6404e509747b85ff5f6dfec368d2,1cd6313c8644bfebbd813a05da9daa21b09dd68c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9291747f118d6404e509747b85ff5f6dfec368d2,f00ac65c90ea475719e08d629e2e26c8b4e6999b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9291747f118d6404e509747b85ff5f6dfec368d2,e7e1b6bcb389c8708003d40613a59ff2496f6b1f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9291747f118d6404e509747b85ff5f6dfec368d2,dc3e27dd7d76e21106b8f9bbdc31f5da74a89014)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9291747f118d6404e509747b85ff5f6dfec368d2,3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9291747f118d6404e509747b85ff5f6dfec368d2,3d5d488f11776738deab9da336038add95d342d1)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.39"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.39)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.134,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.81,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.22,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.12,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-14T01:38:09.815044+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel update that incorporates the netfilter fix for NFPROTO_ARP extensions.", "Confirm that the running kernel version reflects the patch by checking its build date or commit ID.", "Remove or disable any ARP filter rules that reference unqualified x_tables matches or targets.", "As a temporary workaround, switch to arptables\u2011legacy, which only supports safe ARP classes and does not load the vulnerable modules.", "Continuously monitor system logs for KASAN null\u2011pointer dereference messages or kernel panic indicators and enforce prompt patching when they appear."], "summary": {"action": "Immediate patch", "impact": "Kernel crash via null pointer dereference in ARP handling"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the Linux kernel's netfilter x_tables subsystem for all releases that have not yet applied the security commit rectifying NFPROTO_ARP extension restrictions. Affected users run any Linux kernel prior to the patch release, regardless of distribution, as the problem is in the core kernel. Versions after the commit that introduces the restriction are not impacted.", "description_and_impact": "An ARP handling bug in the Linux kernel allows malicious network traffic to trigger a null pointer dereference that causes a kernel panic. The flaw arises because netfilter's x_tables extensions register match and target functions using NFPROTO_UNSPEC, but validate their hook usage against NF_INET_* constants. These constants misalign with the three ARP hook indices, permitting match or target code to run on ARP chains where its assumptions (such as state->in being set) are invalid. A concrete example is the xt_devgroup module, which dereferences a pointer that is null in the ARP context, leading to a general protection fault. The kernel crash manifests as a fatal exception in interrupt and results in a denial\u2011of\u2011service condition.", "risk_and_exploitability": "The CVSS score for this defect is 5.5, indicating a moderate severity. Exploitability requires the attacker to send crafted ARP packets that are processed by a vulnerable arptables chain, which is typically available to network users. Since the issue results in a kernel crash rather than arbitrary code execution, the risk is lower for privilege escalation but still significant for availability. The problem is not listed in CISA's KEV catalog and no EPSS score is published, but the potential for automated ARP traffic to trigger a panic can be exploited remotely by a network adversary."}}}}, "created": "2026-04-14T16:19:16.278020+00:00", "updated": "2026-04-14T16:34:24.523969+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}