CVE-2026-31579 (GCVE-0-2026-31579)

Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-04-24 14:42
VLAI?
Title
wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit
Summary
In the Linux kernel, the following vulnerability has been resolved: wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit wg_netns_pre_exit() manually acquires rtnl_lock() inside the pernet .pre_exit callback. This causes a hung task when another thread holds rtnl_mutex - the cleanup_net workqueue (or the setup_net failure rollback path) blocks indefinitely in wg_netns_pre_exit() waiting to acquire the lock. Convert to .exit_rtnl, introduced in commit 7a60d91c690b ("net: Add ->exit_rtnl() hook to struct pernet_operations."), where the framework already holds RTNL and batches all callbacks under a single rtnl_lock()/rtnl_unlock() pair, eliminating the contention window. The rcu_assign_pointer(wg->creating_net, NULL) is safe to move from .pre_exit to .exit_rtnl (which runs after synchronize_rcu()) because all RCU readers of creating_net either use maybe_get_net() - which returns NULL for a dying namespace with zero refcount - or access net->user_ns which remains valid throughout the entire ops_undo_list sequence. [ Jason: added __net_exit and __read_mostly annotations that were missing. ]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9a9e69155b2091b8297afaf1533b8d68a3096841 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1c52ef00e391144334f10995985c2f256d4be982 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a1d0f6cbb962af29586e3e65a4bced1a5e39221f (git)
Create a notification for this product.
    Linux Linux Unaffected: 6.18.24 , ≤ 6.18.* (semver)
Unaffected: 6.19.14 , ≤ 6.19.* (semver)
Unaffected: 7.0.1 , ≤ 7.0.* (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireguard/device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9a9e69155b2091b8297afaf1533b8d68a3096841",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1c52ef00e391144334f10995985c2f256d4be982",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a1d0f6cbb962af29586e3e65a4bced1a5e39221f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireguard/device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit\n\nwg_netns_pre_exit() manually acquires rtnl_lock() inside the\npernet .pre_exit callback.  This causes a hung task when another\nthread holds rtnl_mutex - the cleanup_net workqueue (or the\nsetup_net failure rollback path) blocks indefinitely in\nwg_netns_pre_exit() waiting to acquire the lock.\n\nConvert to .exit_rtnl, introduced in commit 7a60d91c690b (\"net:\nAdd -\u003eexit_rtnl() hook to struct pernet_operations.\"), where the\nframework already holds RTNL and batches all callbacks under a\nsingle rtnl_lock()/rtnl_unlock() pair, eliminating the contention\nwindow.\n\nThe rcu_assign_pointer(wg-\u003ecreating_net, NULL) is safe to move\nfrom .pre_exit to .exit_rtnl (which runs after synchronize_rcu())\nbecause all RCU readers of creating_net either use maybe_get_net()\n- which returns NULL for a dying namespace with zero refcount - or\naccess net-\u003euser_ns which remains valid throughout the entire\nops_undo_list sequence.\n\n[ Jason: added __net_exit and __read_mostly annotations that were missing. ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T14:42:10.208Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9a9e69155b2091b8297afaf1533b8d68a3096841"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c52ef00e391144334f10995985c2f256d4be982"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1d0f6cbb962af29586e3e65a4bced1a5e39221f"
        }
      ],
      "title": "wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31579",
    "datePublished": "2026-04-24T14:42:10.208Z",
    "dateReserved": "2026-03-09T15:48:24.119Z",
    "dateUpdated": "2026-04-24T14:42:10.208Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-31579",
      "date": "2026-04-26",
      "epss": "0.00017",
      "percentile": "0.0407"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31579\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-24T15:16:32.587\",\"lastModified\":\"2026-04-24T17:51:40.810\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit\\n\\nwg_netns_pre_exit() manually acquires rtnl_lock() inside the\\npernet .pre_exit callback.  This causes a hung task when another\\nthread holds rtnl_mutex - the cleanup_net workqueue (or the\\nsetup_net failure rollback path) blocks indefinitely in\\nwg_netns_pre_exit() waiting to acquire the lock.\\n\\nConvert to .exit_rtnl, introduced in commit 7a60d91c690b (\\\"net:\\nAdd -\u003eexit_rtnl() hook to struct pernet_operations.\\\"), where the\\nframework already holds RTNL and batches all callbacks under a\\nsingle rtnl_lock()/rtnl_unlock() pair, eliminating the contention\\nwindow.\\n\\nThe rcu_assign_pointer(wg-\u003ecreating_net, NULL) is safe to move\\nfrom .pre_exit to .exit_rtnl (which runs after synchronize_rcu())\\nbecause all RCU readers of creating_net either use maybe_get_net()\\n- which returns NULL for a dying namespace with zero refcount - or\\naccess net-\u003euser_ns which remains valid throughout the entire\\nops_undo_list sequence.\\n\\n[ Jason: added __net_exit and __read_mostly annotations that were missing. ]\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1c52ef00e391144334f10995985c2f256d4be982\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9a9e69155b2091b8297afaf1533b8d68a3096841\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a1d0f6cbb962af29586e3e65a4bced1a5e39221f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.