Skip to main content

Linux Kernel EUVDEUVD-2026-21948

| CVE-2026-31424 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-13 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 20, 2026 - 18:08 vuln.today
CVSS changed
May 20, 2026 - 18:07 NVD
5.5 (MEDIUM)
Patch released
Apr 18, 2026 - 09:16 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
3d5d488f11776738deab9da336038add95d342d1,1cd6313c8644bfebbd813a05da9daa21b09dd68c,3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a
EUVD ID Assigned
Apr 13, 2026 - 13:45 euvd
EUVD-2026-21948
CVE Published
Apr 13, 2026 - 13:40 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP

Weiming Shi says:

xt_match and xt_target structs registered with NFPROTO_UNSPEC can be loaded by any protocol family through nft_compat. When such a match/target sets .hooks to restrict which hooks it may run on, the bitmask uses NF_INET_* constants. This is only correct for families whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge all share the same five hooks (PRE_ROUTING ... POST_ROUTING).

ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different semantics. Because NF_ARP_OUT 1 NF_INET_LOCAL_IN, the .hooks validation silently passes for the wrong reasons, allowing matches to run on ARP chains where the hook assumptions (e.g. state->in being set on input hooks) do not hold. This leads to NULL pointer dereferences; xt_devgroup is one concrete example:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227] RIP: 0010:devgroup_mt+0xff/0x350 Call Trace: <TASK> nft_match_eval (net/netfilter/nft_compat.c:407) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61) nf_hook_slow (net/netfilter/core.c:623) arp_xmit (net/ipv4/arp.c:666) </TASK> Kernel panic - not syncing: Fatal exception in interrupt

Fix it by restricting arptables to NFPROTO_ARP extensions only. Note that arptables-legacy only supports:

  • arpt_CLASSIFY
  • arpt_mangle
  • arpt_MARK

that provide explicit NFPROTO_ARP match/target declarations.

AnalysisAI

NULL pointer dereference in the Linux kernel's netfilter x_tables subsystem allows a local attacker with CAP_NET_ADMIN privileges to crash the system by loading an NFPROTO_UNSPEC-registered xt_match or xt_target (e.g., xt_devgroup) into an ARP nftables chain via nft_compat, triggering a kernel panic and complete availability loss. CVSS 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately reflects the local-only, availability-only impact, and EPSS at 0.02% (7th percentile) indicates very low real-world exploitation probability. No active exploitation confirmed (not in CISA KEV); vendor-released patches are available across multiple stable kernel branches.

Technical ContextAI

The Linux kernel netfilter subsystem allows xt_match and xt_target structs registered with NFPROTO_UNSPEC to be loaded by any protocol family through the nft_compat interface. These structs use a .hooks bitmask with NF_INET_* constants to restrict which netfilter hooks they may execute on - a layout shared by IPv4, IPv6, INET, and bridge (all defining the same five hooks: PRE_ROUTING=0 through POST_ROUTING=4). ARP, however, defines only three hooks with semantically different assignments: NF_ARP_IN=0, NF_ARP_OUT=1, NF_ARP_FORWARD=2. The critical flaw is that NF_ARP_OUT (value 1) numerically aliases NF_INET_LOCAL_IN (also value 1), causing xt_check_match/xt_check_target to incorrectly pass the .hooks validation for NFPROTO_ARP. This allows extensions like xt_devgroup - which assumes state->in is populated on input hooks - to execute on ARP output chains where state->in is NULL, producing a NULL pointer dereference (CWE-476) and kernel panic. The affected CPE is cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* with the vulnerability introduced at commit 9291747f118d6404e509747b85ff5f6dfec368d2 (Linux 2.6.39).

RemediationAI

Upgrade to a patched kernel release: 6.1.168 or later for the 6.1.x LTS branch, 6.6.134 or later for the 6.6.x LTS branch, 6.12.81 or later for 6.12.x, 6.18.22 or later for 6.18.x, 6.19.12 or later for 6.19.x, or kernel 7.0 or later. Stable-branch patches are available at https://git.kernel.org/stable/c/1cd6313c8644bfebbd813a05da9daa21b09dd68c and the related commits listed above; canonical distribution packages (Ubuntu, Debian, RHEL) should be monitored for backported security updates. Where immediate patching is not possible, restrict CAP_NET_ADMIN delegation to trusted processes only - on systems running containers, set kernel.unprivileged_userns_clone=0 (Debian/Ubuntu sysctl) or equivalent seccomp/AppArmor profiles to prevent unprivileged users from obtaining network-capable namespaces; note this may break legitimate containerized workloads that rely on user namespaces for networking. Additionally, if ARP processing through custom nftables chains is not required, disabling CONFIG_NFT_COMPAT at build time eliminates the attack surface entirely, though this is only practical for custom kernel builds. NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-31424.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server 12 SP5-LTSS Affected
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Affected
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed

Share

EUVD-2026-21948 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy