CVE-2026-31424

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the netfilter x tables component where xt match and xt target structures registered with NFPROTO UNSPEC can be loaded by any protocol family via nft compat. When these structures use a bitmask with NF INET * constants to restrict hooks, the validation incorrectly passes for the ARP protocol because NF ARP OUT shares the same value as NF INET LOCAL IN. This allows matches to execute on ARP chains where expected hook assumptions are not met, potentially leading to NULL pointer dereferences, as seen in the devgroup mt() function.

Recommendations Restrict arptables to use only NFPROTO ARP extensions. As a temporary workaround, restrict the use of xt devgroup in ARP chains until the update is applied.