Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP

Weiming Shi says:

xt_match and xt_target structs registered with NFPROTO_UNSPEC can be
loaded by any protocol family through nft_compat. When such a
match/target sets .hooks to restrict which hooks it may run on, the
bitmask uses NF_INET_* constants. This is only correct for families
whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge
all share the same five hooks (PRE_ROUTING ... POST_ROUTING).

ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different
semantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks
validation silently passes for the wrong reasons, allowing matches to
run on ARP chains where the hook assumptions (e.g. state->in being
set on input hooks) do not hold. This leads to NULL pointer
dereferences; xt_devgroup is one concrete example:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]
RIP: 0010:devgroup_mt+0xff/0x350
Call Trace:
<TASK>
nft_match_eval (net/netfilter/nft_compat.c:407)
nft_do_chain (net/netfilter/nf_tables_core.c:285)
nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)
nf_hook_slow (net/netfilter/core.c:623)
arp_xmit (net/ipv4/arp.c:666)
</TASK>
Kernel panic - not syncing: Fatal exception in interrupt

Fix it by restricting arptables to NFPROTO_ARP extensions only.
Note that arptables-legacy only supports:

- arpt_CLASSIFY
- arpt_mangle
- arpt_MARK

that provide explicit NFPROTO_ARP match/target declarations.
Published: 2026-04-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Kernel crash via null pointer dereference in ARP handling
Action: Immediate patch
AI Analysis

Impact

An ARP handling bug in the Linux kernel allows malicious network traffic to trigger a null pointer dereference that causes a kernel panic. The flaw arises because netfilter's x_tables extensions register match and target functions using NFPROTO_UNSPEC, but validate their hook usage against NF_INET_* constants. These constants misalign with the three ARP hook indices, permitting match or target code to run on ARP chains where its assumptions (such as state->in being set) are invalid. A concrete example is the xt_devgroup module, which dereferences a pointer that is null in the ARP context, leading to a general protection fault. The kernel crash manifests as a fatal exception in interrupt and results in a denial‑of‑service condition.

Affected Systems

The vulnerability is present in the Linux kernel's netfilter x_tables subsystem for all releases that have not yet applied the security commit rectifying NFPROTO_ARP extension restrictions. Affected users run any Linux kernel prior to the patch release, regardless of distribution, as the problem is in the core kernel. Versions after the commit that introduces the restriction are not impacted.

Risk and Exploitability

The CVSS score for this defect is 5.5, indicating a moderate severity. Exploitability requires the attacker to send crafted ARP packets that are processed by a vulnerable arptables chain, which is typically available to network users. Since the issue results in a kernel crash rather than arbitrary code execution, the risk is lower for privilege escalation but still significant for availability. The problem is not listed in CISA's KEV catalog and no EPSS score is published, but the potential for automated ARP traffic to trigger a panic can be exploited remotely by a network adversary.

Generated by OpenCVE AI on April 14, 2026 at 01:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that incorporates the netfilter fix for NFPROTO_ARP extensions.
  • Confirm that the running kernel version reflects the patch by checking its build date or commit ID.
  • Remove or disable any ARP filter rules that reference unqualified x_tables matches or targets.
  • As a temporary workaround, switch to arptables‑legacy, which only supports safe ARP classes and does not load the vulnerable modules.
  • Continuously monitor system logs for KASAN null‑pointer dereference messages or kernel panic indicators and enforce prompt patching when they appear.

Generated by OpenCVE AI on April 14, 2026 at 01:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1287
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 13 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP Weiming Shi says: xt_match and xt_target structs registered with NFPROTO_UNSPEC can be loaded by any protocol family through nft_compat. When such a match/target sets .hooks to restrict which hooks it may run on, the bitmask uses NF_INET_* constants. This is only correct for families whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge all share the same five hooks (PRE_ROUTING ... POST_ROUTING). ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different semantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks validation silently passes for the wrong reasons, allowing matches to run on ARP chains where the hook assumptions (e.g. state->in being set on input hooks) do not hold. This leads to NULL pointer dereferences; xt_devgroup is one concrete example: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227] RIP: 0010:devgroup_mt+0xff/0x350 Call Trace: <TASK> nft_match_eval (net/netfilter/nft_compat.c:407) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61) nf_hook_slow (net/netfilter/core.c:623) arp_xmit (net/ipv4/arp.c:666) </TASK> Kernel panic - not syncing: Fatal exception in interrupt Fix it by restricting arptables to NFPROTO_ARP extensions only. Note that arptables-legacy only supports: - arpt_CLASSIFY - arpt_mangle - arpt_MARK that provide explicit NFPROTO_ARP match/target declarations.
Title netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:08:26.363Z

Reserved: 2026-03-09T15:48:24.088Z

Link: CVE-2026-31424

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T14:16:12.240

Modified: 2026-04-18T09:16:32.453

Link: CVE-2026-31424

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-31424 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:24Z

Weaknesses