Home

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP Weiming Shi says: xt_match and xt_target structs registered with NFPROTO_UNSPEC can be loaded by any protocol family through nft_compat. When such a match/target sets .hooks to restrict which hooks it may run on, the bitmask uses NF_INET_* constants. This is only correct for families whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge all share the same five hooks (PRE_ROUTING ... POST_ROUTING). ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different semantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks validation silently passes for the wrong reasons, allowing matches to run on ARP chains where the hook assumptions (e.g. state->in being set on input hooks) do not hold. This leads to NULL pointer dereferences; xt_devgroup is one concrete example: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227] RIP: 0010:devgroup_mt+0xff/0x350 Call Trace: <TASK> nft_match_eval (net/netfilter/nft_compat.c:407) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61) nf_hook_slow (net/netfilter/core.c:623) arp_xmit (net/ipv4/arp.c:666) </TASK> Kernel panic - not syncing: Fatal exception in interrupt Fix it by restricting arptables to NFPROTO_ARP extensions only. Note that arptables-legacy only supports: - arpt_CLASSIFY - arpt_mangle - arpt_MARK that provide explicit NFPROTO_ARP match/target declarations.

PUBLISHED Reserved 2026-03-09 | Published 2026-04-13 | Updated 2026-05-11 | Assigner Linux

Product status

Default status
unaffected

9291747f118d6404e509747b85ff5f6dfec368d2 (git) before 80e3c75f71c3ea1e62fcb032382de13e00a68f8b
affected

9291747f118d6404e509747b85ff5f6dfec368d2 (git) before d9a0af9e43416aa50c0595e15fa01365a1c72c49
affected

9291747f118d6404e509747b85ff5f6dfec368d2 (git) before 1cd6313c8644bfebbd813a05da9daa21b09dd68c
affected

9291747f118d6404e509747b85ff5f6dfec368d2 (git) before f00ac65c90ea475719e08d629e2e26c8b4e6999b
affected

9291747f118d6404e509747b85ff5f6dfec368d2 (git) before e7e1b6bcb389c8708003d40613a59ff2496f6b1f
affected

9291747f118d6404e509747b85ff5f6dfec368d2 (git) before dc3e27dd7d76e21106b8f9bbdc31f5da74a89014
affected

9291747f118d6404e509747b85ff5f6dfec368d2 (git) before 3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a
affected

9291747f118d6404e509747b85ff5f6dfec368d2 (git) before 3d5d488f11776738deab9da336038add95d342d1
affected

Default status
affected

2.6.39
affected

Any version before 2.6.39
unaffected

5.10.253 (semver)
unaffected

5.15.203 (semver)
unaffected

6.1.168 (semver)
unaffected

6.6.134 (semver)
unaffected

6.12.81 (semver)
unaffected

6.18.22 (semver)
unaffected

6.19.12 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/80e3c75f71c3ea1e62fcb032382de13e00a68f8b

git.kernel.org/...c/d9a0af9e43416aa50c0595e15fa01365a1c72c49

git.kernel.org/...c/1cd6313c8644bfebbd813a05da9daa21b09dd68c

git.kernel.org/...c/f00ac65c90ea475719e08d629e2e26c8b4e6999b

git.kernel.org/...c/e7e1b6bcb389c8708003d40613a59ff2496f6b1f

git.kernel.org/...c/dc3e27dd7d76e21106b8f9bbdc31f5da74a89014

git.kernel.org/...c/3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a

git.kernel.org/...c/3d5d488f11776738deab9da336038add95d342d1

cve.org (CVE-2026-31424)

nvd.nist.gov (CVE-2026-31424)

Download JSON