Skip to main content

WireGuard CVE-2026-52945

| EUVDEUVD-2026-38813 HIGH
2026-06-24 Linux GHSA-rh26-99wm-wg2w
7.5
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.9 MEDIUM

Network-reachable load triggers it (AV:N, PR:N) but it is a rare non-deterministic race needing sustained multi-CPU heavy traffic (AC:H); impact is a permanent per-peer stall (A:H) with no C/I effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:30 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:26 cve.org
HIGH 7.5
CVE Published
Jun 24, 2026 - 16:26 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Revert "wireguard: device: enable threaded NAPI"

This reverts commit 933466fc50a8e4eb167acbd0d8ec96a078462e9c which is commit db9ae3b6b43c79b1ba87eea849fd65efa05b4b2e upstream.

We have had three independent production user reports in combination with Cilium utilizing WireGuard as encryption underneath that k8s Pod E/W traffic to certain peer nodes fully stalled. The situation appears as follows:

  • Occurs very rarely but at random times under heavy networking load.
  • Once the issue triggers the decryption side stops working completely

for that WireGuard peer, other peers keep working fine. The stall happens also for newly initiated connections towards that particular WireGuard peer.

  • Only the decryption side is affected, never the encryption side.
  • Once it triggers, it never recovers and remains in this state,

the CPU/mem on that node looks normal, no leak, busy loop or crash.

  • bpftrace on the affected system shows that wg_prev_queue_enqueue

fails, thus the MAX_QUEUED_PACKETS (1024 skbs!) for the peer's rx_queue is reached.

  • Also, bpftrace shows that wg_packet_rx_poll for that peer is never

called again after reaching this state for that peer. For other peers wg_packet_rx_poll does get called normally.

  • Commit db9ae3b ("wireguard: device: enable threaded NAPI")

switched WireGuard to threaded NAPI by default. The default has not been changed for triggering the issue, neither did CPU hotplugging occur (i.e. 5bd8de2 ("wireguard: queueing: always return valid online CPU in wg_cpumask_choose_online()")).

  • The issue has been observed with stable kernels of v5.15 as well as

v6.1. It was reported to us that v5.10 stable is working fine, and no report on v6.6 stable either (somewhat related discussion in [0] though).

  • In the WireGuard driver the only material difference between v5.10

stable and v5.15 stable is the switch to threaded NAPI by default.

[0] https://lore.kernel.org/netdev/CA+wXwBTT74RErDGAnj98PqS=wvdh8eM1pi4q6tTdExtjnokKqA@mail.gmail.com/

Breakdown of the problem:

  1. skbs arriving for decryption are enqueued to the peer->rx_queue in

wg_packet_consume_data via wg_queue_enqueue_per_device_and_peer.

  1. The latter only moves the skb into the MPSC peer queue if it does

not surpass MAX_QUEUED_PACKETS (1024) which is kept track in an atomic counter via wg_prev_queue_enqueue.

  1. In case enqueueing was successful, the skb is also queued up

in the device queue, round-robin picks a next online CPU, and schedules the decryption worker.

  1. The wg_packet_decrypt_worker, once scheduled, picks these up

from the queue, decrypts the packets and once done calls into wg_queue_enqueue_per_peer_rx.

  1. The latter updates the state to PACKET_STATE_CRYPTED on success

and calls napi_schedule on the per peer->napi instance.

  1. NAPI then polls via wg_packet_rx_poll. wg_prev_queue_peek checks

on the peer->rx_queue. It will wg_prev_queue_dequeue if the queue->peeked skb was not cached yet, or just return the latter otherwise. (wg_prev_queue_drop_peeked later clears the cache.)

  1. From an ordering perspective, the peer->rx_queue has skbs in order

while the device queue with the per-CPU worker threads from a global ordering PoV can finish the decryption and signal the skb PACKET_STATE_CRYPTED out of order.

  1. A situation can be observed that the first packet coming in will

be stuck waiting for the decryption worker to be scheduled for a longer time when the system is under pressure.

  1. While this is the case, the other CPUs in the meantime finish

decryption and call into napi_schedule.

  1. Now in wg_packet_rx_poll it picks up the first in-order skb

from the peer->rx_queue and sees that its state is still PACKET_STATE_UNCRYPTED. The NAPI poll routine then exits e ---truncated---

AnalysisAI

Denial of service in the Linux kernel's WireGuard module causes the receive/decryption path to permanently stall for an individual peer under heavy network load. Affected stable trees (notably 6.12.34 through 6.12.73, with the same defect originating in 5.15/6.1 where threaded NAPI became default) can have inbound traffic to a specific WireGuard peer halt completely once the per-peer rx_queue fills its 1024-packet backlog and wg_packet_rx_poll is never rescheduled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Heavy encrypted traffic to a WireGuard peer
Delivery
Decrypt workers complete out of order
Exploit
First in-order skb stuck UNCRYPTED
Execution
wg_packet_rx_poll exits without rescheduling
Persist
rx_queue saturates at 1024 packets
Impact
Permanent decryption stall for that peer

Vulnerability AssessmentAI

Exploitation Requires the in-kernel WireGuard driver running with threaded NAPI enabled - the default on affected 5.15/6.1/6.12 stable kernels after commit db9ae3b - and sustained heavy receive-side networking load across multiple CPUs, which is what races the per-CPU decrypt workers against the in-order per-peer rx_queue. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent in pointing to a real but low-urgency availability bug rather than an attacker-driven weapon. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Under sustained heavy encrypted traffic between Kubernetes nodes (e.g. Cilium using WireGuard), a decrypt worker for the first in-order packet is delayed while later packets finish out of order, leaving wg_packet_rx_poll wedged and the peer's 1024-slot rx_queue fully backed up. …
Remediation Apply the vendor stable-kernel update that contains the revert: upgrade to Linux 6.12.74 or later in the 6.12 series (fixing commit e94b369ff82f9bc84f090f271bd78f41c9f6ab2f), or the equivalent patched build for your 5.15/6.1 stable branch once your distribution ships it; this is Vendor-released patch: Linux 6.12.74 (and corresponding stable backports). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify infrastructure running affected Linux kernel versions with WireGuard enabled, particularly Cilium-based Kubernetes clusters. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-52945 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy