Improper Validation of Specified Type of Input Affecting kernel-debug-devel-matched package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS10-KERNELDEBUGDEVELMATCHED-16065432
- published15 Apr 2026
- disclosed13 Apr 2026
Introduced: 13 Apr 2026
NewCVE-2026-31424 (opens in a new tab)How to fix?
There is no fixed version for Centos:10 kernel-debug-devel-matched.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-debug-devel-matched package and not the kernel-debug-devel-matched package as distributed by Centos.
See How to fix? for Centos:10 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
Weiming Shi says:
xt_match and xt_target structs registered with NFPROTO_UNSPEC can be loaded by any protocol family through nft_compat. When such a match/target sets .hooks to restrict which hooks it may run on, the bitmask uses NF_INET_* constants. This is only correct for families whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge all share the same five hooks (PRE_ROUTING ... POST_ROUTING).
ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different semantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks validation silently passes for the wrong reasons, allowing matches to run on ARP chains where the hook assumptions (e.g. state->in being set on input hooks) do not hold. This leads to NULL pointer dereferences; xt_devgroup is one concrete example:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227] RIP: 0010:devgroup_mt+0xff/0x350 Call Trace: <TASK> nft_match_eval (net/netfilter/nft_compat.c:407) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61) nf_hook_slow (net/netfilter/core.c:623) arp_xmit (net/ipv4/arp.c:666) </TASK> Kernel panic - not syncing: Fatal exception in interrupt
Fix it by restricting arptables to NFPROTO_ARP extensions only. Note that arptables-legacy only supports:
- arpt_CLASSIFY
- arpt_mangle
- arpt_MARK
that provide explicit NFPROTO_ARP match/target declarations.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2457826
- https://access.redhat.com/security/cve/CVE-2026-31424
- https://git.kernel.org/stable/c/1cd6313c8644bfebbd813a05da9daa21b09dd68c
- https://git.kernel.org/stable/c/3d5d488f11776738deab9da336038add95d342d1
- https://git.kernel.org/stable/c/3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a
- https://git.kernel.org/stable/c/dc3e27dd7d76e21106b8f9bbdc31f5da74a89014
- https://git.kernel.org/stable/c/e7e1b6bcb389c8708003d40613a59ff2496f6b1f
- https://git.kernel.org/stable/c/f00ac65c90ea475719e08d629e2e26c8b4e6999b
- https://git.kernel.org/stable/c/80e3c75f71c3ea1e62fcb032382de13e00a68f8b
- https://git.kernel.org/stable/c/d9a0af9e43416aa50c0595e15fa01365a1c72c49