FKIE_CVE-2026-31579

Vulnerability from fkie_nvd - Published: 2026-04-24 15:16 - Updated: 2026-04-24 17:51
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit wg_netns_pre_exit() manually acquires rtnl_lock() inside the pernet .pre_exit callback. This causes a hung task when another thread holds rtnl_mutex - the cleanup_net workqueue (or the setup_net failure rollback path) blocks indefinitely in wg_netns_pre_exit() waiting to acquire the lock. Convert to .exit_rtnl, introduced in commit 7a60d91c690b ("net: Add ->exit_rtnl() hook to struct pernet_operations."), where the framework already holds RTNL and batches all callbacks under a single rtnl_lock()/rtnl_unlock() pair, eliminating the contention window. The rcu_assign_pointer(wg->creating_net, NULL) is safe to move from .pre_exit to .exit_rtnl (which runs after synchronize_rcu()) because all RCU readers of creating_net either use maybe_get_net() - which returns NULL for a dying namespace with zero refcount - or access net->user_ns which remains valid throughout the entire ops_undo_list sequence. [ Jason: added __net_exit and __read_mostly annotations that were missing. ]
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1c52ef00e391144334f10995985c2f256d4be982
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9a9e69155b2091b8297afaf1533b8d68a3096841
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a1d0f6cbb962af29586e3e65a4bced1a5e39221f
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit\n\nwg_netns_pre_exit() manually acquires rtnl_lock() inside the\npernet .pre_exit callback.  This causes a hung task when another\nthread holds rtnl_mutex - the cleanup_net workqueue (or the\nsetup_net failure rollback path) blocks indefinitely in\nwg_netns_pre_exit() waiting to acquire the lock.\n\nConvert to .exit_rtnl, introduced in commit 7a60d91c690b (\"net:\nAdd -\u003eexit_rtnl() hook to struct pernet_operations.\"), where the\nframework already holds RTNL and batches all callbacks under a\nsingle rtnl_lock()/rtnl_unlock() pair, eliminating the contention\nwindow.\n\nThe rcu_assign_pointer(wg-\u003ecreating_net, NULL) is safe to move\nfrom .pre_exit to .exit_rtnl (which runs after synchronize_rcu())\nbecause all RCU readers of creating_net either use maybe_get_net()\n- which returns NULL for a dying namespace with zero refcount - or\naccess net-\u003euser_ns which remains valid throughout the entire\nops_undo_list sequence.\n\n[ Jason: added __net_exit and __read_mostly annotations that were missing. ]"
    }
  ],
  "id": "CVE-2026-31579",
  "lastModified": "2026-04-24T17:51:40.810",
  "metrics": {},
  "published": "2026-04-24T15:16:32.587",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1c52ef00e391144334f10995985c2f256d4be982"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9a9e69155b2091b8297afaf1533b8d68a3096841"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a1d0f6cbb962af29586e3e65a4bced1a5e39221f"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.