PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31424 Linux CVE debrief

CVE-2026-31424 is a Linux kernel availability vulnerability in netfilter's x_tables/nft_compat handling for ARP. A hook-validation mismatch can let xt_match/xt_target extensions with NFPROTO_UNSPEC run in ARP chains even when their .hooks masks were written for NF_INET_* layouts, which can lead to a NULL pointer dereference and kernel panic.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-13
Original CVE updated
2026-05-20
Advisory published
2026-04-13
Advisory updated
2026-05-20

Who should care

Kernel and distribution maintainers, and operators of Linux systems that use nftables/arptables compatibility or ARP filtering. Because the issue can crash the kernel, environments that allow privileged local users to manage firewall rules should prioritize patching.

Technical summary

The supplied CVE description says xt_match and xt_target structs registered with NFPROTO_UNSPEC can be loaded by any protocol family through nft_compat. Their .hooks validation assumes the five-hook NF_INET_* layout used by IPv4, IPv6, INET, and bridge, but ARP uses only three hooks with different semantics. That mismatch can make the validation pass for the wrong reasons and allow a match to execute on an ARP chain where expected state is missing, producing a NULL pointer dereference. The description cites xt_devgroup as one concrete crash example. The fix is to restrict arptables to NFPROTO_ARP extensions only; the record also notes that arptables-legacy only supports arpt_CLASSIFY, arpt_mangle, and arpt_MARK, which already declare NFPROTO_ARP explicitly. NVD classifies the impact as availability-only (CVSS 5.5, local, low complexity, low privileges, no user interaction).

Defensive priority

Medium-to-high: the flaw can cause a kernel panic on affected systems, so patching should be prioritized for hosts that use netfilter ARP paths or nft_compat.

Recommended defensive actions

  • Apply the vendor or stable kernel update that contains the fix for your release branch.
  • Confirm whether your systems use nft_compat, arptables, or ARP-oriented firewall rules, and prioritize those hosts first.
  • Review which local administrators or automation systems can manage firewall rules, since the trigger requires local privileges.
  • After updating, reboot into the patched kernel and verify the running version is outside the affected ranges listed by NVD.

Evidence notes

The source corpus identifies the CVE as publicly published on 2026-04-13 and last modified on 2026-05-20, with NVD marking the record analyzed. The description provides the root-cause analysis and a crash trace showing devgroup_mt() reached through nft_match_eval() on an ARP chain. NVD lists official kernel patch references and affected version ranges ending before 5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, and 6.19.12, with 7.0-rc1 through 7.0-rc6 also listed as vulnerable.

Official resources

Public disclosure is reflected in the CVE record published on 2026-04-13, with a later NVD update on 2026-05-20. The supplied corpus does not include an embargo timeline or evidence of exploitation in the wild.