AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-31424: In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: restrict xt_check_match/xt_che

infovulnerability

security

Source: NVD/CVE DatabaseApril 13, 2026CVE-2026-31424

Summary

A vulnerability in the Linux kernel's netfilter (the system that filters network packets) allowed matches and targets designed for general use to be incorrectly loaded into ARP (a protocol for finding IP addresses on local networks) chains, causing NULL pointer dereferences (crashes when code tries to access memory that doesn't exist) because ARP has different hook layouts than other protocols. The issue occurred because ARP's hooks have different meanings than IPv4/IPv6 hooks, but the validation code didn't catch this mismatch.

Solution / Mitigation

Fix it by restricting arptables to NFPROTO_ARP extensions only. The arptables-legacy implementation supports only three extensions that provide explicit NFPROTO_ARP declarations: arpt_CLASSIFY, arpt_mangle, and arpt_MARK.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Disclosure Date

April 13, 2026

Classification

Attack SophisticationModerate

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-31424

First tracked: April 13, 2026 at 02:07 PM

Classified by LLM (prompt v3) · confidence: 95%