This is one of those cases where assumptions about state are made that can be violated. In nft_fwd_dup_netdev_offload when offloading a dup or fwd rule to hardware the num_actions value is used to index the actions array and incremented. The problem is that the actions array is allocated based on the number of immediate expressions types. As it is possible to manually create a dup or fwd rule that does not have a corresponding immediate expression, the increment can arbitrarily go out of bounds.