HOMEVULNERABILITIESCVE-2026-31424
NONE

CVE-2026-31424

Published: April 13, 2026· Updated: Apr 18, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:6.6th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP

Weiming Shi says:

xt_match and xt_target structs registered with NFPROTO_UNSPEC can be

loaded by any protocol family through nft_compat. When such a

match/target sets .hooks to restrict which hooks it may run on, the

bitmask uses NF_INET_* constants. This is only correct for families

whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge

all share the same five hooks (PRE_ROUTING ... POST_ROUTING).

ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different

semantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks

validation silently passes for the wrong reasons, allowing matches to

run on ARP chains where the hook assumptions (e.g. state->in being

set on input hooks) do not hold. This leads to NULL pointer

dereferences; xt_devgroup is one concrete example:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI

KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]

RIP: 0010:devgroup_mt+0xff/0x350

Call Trace:

<TASK>

nft_match_eval (net/netfilter/nft_compat.c:407)

nft_do_chain (net/netfilter/nf_tables_core.c:285)

nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)

nf_hook_slow (net/netfilter/core.c:623)

arp_xmit (net/ipv4/arp.c:666)

</TASK>

Kernel panic - not syncing: Fatal exception in interrupt

Fix it by restricting arptables to NFPROTO_ARP extensions only.

Note that arptables-legacy only supports:

- arpt_CLASSIFY

- arpt_mangle

- arpt_MARK

that provide explicit NFPROTO_ARP match/target declarations.

NVD Source

Technical Analysis

CVE-2026-31424 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
LinuxCanonical
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-31424
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 13, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31424 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.