{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-13T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP",
    "id" : "2457826",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2457826"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-1287",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP\nWeiming Shi says:\nxt_match and xt_target structs registered with NFPROTO_UNSPEC can be\nloaded by any protocol family through nft_compat. When such a\nmatch/target sets .hooks to restrict which hooks it may run on, the\nbitmask uses NF_INET_* constants. This is only correct for families\nwhose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge\nall share the same five hooks (PRE_ROUTING ... POST_ROUTING).\nARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different\nsemantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks\nvalidation silently passes for the wrong reasons, allowing matches to\nrun on ARP chains where the hook assumptions (e.g. state->in being\nset on input hooks) do not hold. This leads to NULL pointer\ndereferences; xt_devgroup is one concrete example:\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]\nRIP: 0010:devgroup_mt+0xff/0x350\nCall Trace:\n<TASK>\nnft_match_eval (net/netfilter/nft_compat.c:407)\nnft_do_chain (net/netfilter/nf_tables_core.c:285)\nnft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)\nnf_hook_slow (net/netfilter/core.c:623)\narp_xmit (net/ipv4/arp.c:666)\n</TASK>\nKernel panic - not syncing: Fatal exception in interrupt\nFix it by restricting arptables to NFPROTO_ARP extensions only.\nNote that arptables-legacy only supports:\n- arpt_CLASSIFY\n- arpt_mangle\n- arpt_MARK\nthat provide explicit NFPROTO_ARP match/target declarations.", "A flaw was found in the Linux kernel's netfilter subsystem, specifically within the x_tables and arptables components. This vulnerability arises when xt_match and xt_target extensions, registered for unspecified protocol families, are incorrectly processed by the Address Resolution Protocol (ARP) subsystem. An attacker could exploit this by crafting network packets that trigger a mismatch in hook validation, leading to a null pointer dereference and ultimately a kernel panic, resulting in a Denial of Service (DoS) for the affected system." ],
  "statement" : "Incorrect extension registration for ARP chains is a correctness bug in the netfilter compatibility path. Exploitation for a panic requires a privileged user to install matching nftables/arptables rules that pull in the affected `xt_*` pieces on ARP traffic. The fix limits arptables to extensions explicitly declared for `NFPROTO_ARP`.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31424\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31424\nhttps://lore.kernel.org/linux-cve-announce/2026041356-CVE-2026-31424-704f@gregkh/T" ],
  "name" : "CVE-2026-31424",
  "csaw" : false
}