{"api_version":"1","generated_at":"2026-04-19T01:10:08+00:00","cve":"CVE-2026-31424","urls":{"html":"https://cve.report/CVE-2026-31424","api":"https://cve.report/api/cve/CVE-2026-31424.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31424","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31424"},"summary":{"title":"netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP\n\nWeiming Shi says:\n\nxt_match and xt_target structs registered with NFPROTO_UNSPEC can be\nloaded by any protocol family through nft_compat. When such a\nmatch/target sets .hooks to restrict which hooks it may run on, the\nbitmask uses NF_INET_* constants. This is only correct for families\nwhose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge\nall share the same five hooks (PRE_ROUTING ... POST_ROUTING).\n\nARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different\nsemantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks\nvalidation silently passes for the wrong reasons, allowing matches to\nrun on ARP chains where the hook assumptions (e.g. state->in being\nset on input hooks) do not hold. This leads to NULL pointer\ndereferences; xt_devgroup is one concrete example:\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]\n RIP: 0010:devgroup_mt+0xff/0x350\n Call Trace:\n  <TASK>\n  nft_match_eval (net/netfilter/nft_compat.c:407)\n  nft_do_chain (net/netfilter/nf_tables_core.c:285)\n  nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)\n  nf_hook_slow (net/netfilter/core.c:623)\n  arp_xmit (net/ipv4/arp.c:666)\n  </TASK>\n Kernel panic - not syncing: Fatal exception in interrupt\n\nFix it by restricting arptables to NFPROTO_ARP extensions only.\nNote that arptables-legacy only supports:\n\n- arpt_CLASSIFY\n- arpt_mangle\n- arpt_MARK\n\nthat provide explicit NFPROTO_ARP match/target declarations.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-13 14:16:12","updated_at":"2026-04-18 09:16:32"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/dc3e27dd7d76e21106b8f9bbdc31f5da74a89014","name":"https://git.kernel.org/stable/c/dc3e27dd7d76e21106b8f9bbdc31f5da74a89014","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3d5d488f11776738deab9da336038add95d342d1","name":"https://git.kernel.org/stable/c/3d5d488f11776738deab9da336038add95d342d1","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a","name":"https://git.kernel.org/stable/c/3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d9a0af9e43416aa50c0595e15fa01365a1c72c49","name":"https://git.kernel.org/stable/c/d9a0af9e43416aa50c0595e15fa01365a1c72c49","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/e7e1b6bcb389c8708003d40613a59ff2496f6b1f","name":"https://git.kernel.org/stable/c/e7e1b6bcb389c8708003d40613a59ff2496f6b1f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f00ac65c90ea475719e08d629e2e26c8b4e6999b","name":"https://git.kernel.org/stable/c/f00ac65c90ea475719e08d629e2e26c8b4e6999b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/80e3c75f71c3ea1e62fcb032382de13e00a68f8b","name":"https://git.kernel.org/stable/c/80e3c75f71c3ea1e62fcb032382de13e00a68f8b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1cd6313c8644bfebbd813a05da9daa21b09dd68c","name":"https://git.kernel.org/stable/c/1cd6313c8644bfebbd813a05da9daa21b09dd68c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31424","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31424","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9291747f118d6404e509747b85ff5f6dfec368d2 80e3c75f71c3ea1e62fcb032382de13e00a68f8b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9291747f118d6404e509747b85ff5f6dfec368d2 d9a0af9e43416aa50c0595e15fa01365a1c72c49 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9291747f118d6404e509747b85ff5f6dfec368d2 1cd6313c8644bfebbd813a05da9daa21b09dd68c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9291747f118d6404e509747b85ff5f6dfec368d2 f00ac65c90ea475719e08d629e2e26c8b4e6999b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9291747f118d6404e509747b85ff5f6dfec368d2 e7e1b6bcb389c8708003d40613a59ff2496f6b1f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9291747f118d6404e509747b85ff5f6dfec368d2 dc3e27dd7d76e21106b8f9bbdc31f5da74a89014 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9291747f118d6404e509747b85ff5f6dfec368d2 3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9291747f118d6404e509747b85ff5f6dfec368d2 3d5d488f11776738deab9da336038add95d342d1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2.6.39","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 2.6.39 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.253 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.203 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.168 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.134 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.81 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.22 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.12 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"31424","cve":"CVE-2026-31424","epss":"0.000240000","percentile":"0.066100000","score_date":"2026-04-18","updated_at":"2026-04-19 00:10:43"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/netfilter/x_tables.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"80e3c75f71c3ea1e62fcb032382de13e00a68f8b","status":"affected","version":"9291747f118d6404e509747b85ff5f6dfec368d2","versionType":"git"},{"lessThan":"d9a0af9e43416aa50c0595e15fa01365a1c72c49","status":"affected","version":"9291747f118d6404e509747b85ff5f6dfec368d2","versionType":"git"},{"lessThan":"1cd6313c8644bfebbd813a05da9daa21b09dd68c","status":"affected","version":"9291747f118d6404e509747b85ff5f6dfec368d2","versionType":"git"},{"lessThan":"f00ac65c90ea475719e08d629e2e26c8b4e6999b","status":"affected","version":"9291747f118d6404e509747b85ff5f6dfec368d2","versionType":"git"},{"lessThan":"e7e1b6bcb389c8708003d40613a59ff2496f6b1f","status":"affected","version":"9291747f118d6404e509747b85ff5f6dfec368d2","versionType":"git"},{"lessThan":"dc3e27dd7d76e21106b8f9bbdc31f5da74a89014","status":"affected","version":"9291747f118d6404e509747b85ff5f6dfec368d2","versionType":"git"},{"lessThan":"3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a","status":"affected","version":"9291747f118d6404e509747b85ff5f6dfec368d2","versionType":"git"},{"lessThan":"3d5d488f11776738deab9da336038add95d342d1","status":"affected","version":"9291747f118d6404e509747b85ff5f6dfec368d2","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/netfilter/x_tables.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"2.6.39"},{"lessThan":"2.6.39","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.253","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.203","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.168","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.134","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.81","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.22","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.12","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.253","versionStartIncluding":"2.6.39","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.203","versionStartIncluding":"2.6.39","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.168","versionStartIncluding":"2.6.39","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.134","versionStartIncluding":"2.6.39","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.81","versionStartIncluding":"2.6.39","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.22","versionStartIncluding":"2.6.39","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.12","versionStartIncluding":"2.6.39","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"2.6.39","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP\n\nWeiming Shi says:\n\nxt_match and xt_target structs registered with NFPROTO_UNSPEC can be\nloaded by any protocol family through nft_compat. When such a\nmatch/target sets .hooks to restrict which hooks it may run on, the\nbitmask uses NF_INET_* constants. This is only correct for families\nwhose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge\nall share the same five hooks (PRE_ROUTING ... POST_ROUTING).\n\nARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different\nsemantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks\nvalidation silently passes for the wrong reasons, allowing matches to\nrun on ARP chains where the hook assumptions (e.g. state->in being\nset on input hooks) do not hold. This leads to NULL pointer\ndereferences; xt_devgroup is one concrete example:\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]\n RIP: 0010:devgroup_mt+0xff/0x350\n Call Trace:\n  <TASK>\n  nft_match_eval (net/netfilter/nft_compat.c:407)\n  nft_do_chain (net/netfilter/nf_tables_core.c:285)\n  nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)\n  nf_hook_slow (net/netfilter/core.c:623)\n  arp_xmit (net/ipv4/arp.c:666)\n  </TASK>\n Kernel panic - not syncing: Fatal exception in interrupt\n\nFix it by restricting arptables to NFPROTO_ARP extensions only.\nNote that arptables-legacy only supports:\n\n- arpt_CLASSIFY\n- arpt_mangle\n- arpt_MARK\n\nthat provide explicit NFPROTO_ARP match/target declarations."}],"providerMetadata":{"dateUpdated":"2026-04-18T08:59:37.647Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/80e3c75f71c3ea1e62fcb032382de13e00a68f8b"},{"url":"https://git.kernel.org/stable/c/d9a0af9e43416aa50c0595e15fa01365a1c72c49"},{"url":"https://git.kernel.org/stable/c/1cd6313c8644bfebbd813a05da9daa21b09dd68c"},{"url":"https://git.kernel.org/stable/c/f00ac65c90ea475719e08d629e2e26c8b4e6999b"},{"url":"https://git.kernel.org/stable/c/e7e1b6bcb389c8708003d40613a59ff2496f6b1f"},{"url":"https://git.kernel.org/stable/c/dc3e27dd7d76e21106b8f9bbdc31f5da74a89014"},{"url":"https://git.kernel.org/stable/c/3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a"},{"url":"https://git.kernel.org/stable/c/3d5d488f11776738deab9da336038add95d342d1"}],"title":"netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31424","datePublished":"2026-04-13T13:40:27.957Z","dateReserved":"2026-03-09T15:48:24.088Z","dateUpdated":"2026-04-18T08:59:37.647Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-13 14:16:12","lastModifiedDate":"2026-04-18 09:16:32","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31424","Ordinal":"1","Title":"netfilter: x_tables: restrict xt_check_match/xt_check_target ext","CVE":"CVE-2026-31424","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31424","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP\n\nWeiming Shi says:\n\nxt_match and xt_target structs registered with NFPROTO_UNSPEC can be\nloaded by any protocol family through nft_compat. When such a\nmatch/target sets .hooks to restrict which hooks it may run on, the\nbitmask uses NF_INET_* constants. This is only correct for families\nwhose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge\nall share the same five hooks (PRE_ROUTING ... POST_ROUTING).\n\nARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different\nsemantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks\nvalidation silently passes for the wrong reasons, allowing matches to\nrun on ARP chains where the hook assumptions (e.g. state->in being\nset on input hooks) do not hold. This leads to NULL pointer\ndereferences; xt_devgroup is one concrete example:\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]\n RIP: 0010:devgroup_mt+0xff/0x350\n Call Trace:\n  <TASK>\n  nft_match_eval (net/netfilter/nft_compat.c:407)\n  nft_do_chain (net/netfilter/nf_tables_core.c:285)\n  nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)\n  nf_hook_slow (net/netfilter/core.c:623)\n  arp_xmit (net/ipv4/arp.c:666)\n  </TASK>\n Kernel panic - not syncing: Fatal exception in interrupt\n\nFix it by restricting arptables to NFPROTO_ARP extensions only.\nNote that arptables-legacy only supports:\n\n- arpt_CLASSIFY\n- arpt_mangle\n- arpt_MARK\n\nthat provide explicit NFPROTO_ARP match/target declarations.","Type":"Description","Title":"netfilter: x_tables: restrict xt_check_match/xt_check_target ext"}]}}}