Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable load triggers it (AV:N, PR:N) but it is a rare non-deterministic race needing sustained multi-CPU heavy traffic (AC:H); impact is a permanent per-peer stall (A:H) with no C/I effect.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
Revert "wireguard: device: enable threaded NAPI"
This reverts commit 933466fc50a8e4eb167acbd0d8ec96a078462e9c which is commit db9ae3b6b43c79b1ba87eea849fd65efa05b4b2e upstream.
We have had three independent production user reports in combination with Cilium utilizing WireGuard as encryption underneath that k8s Pod E/W traffic to certain peer nodes fully stalled. The situation appears as follows:
- Occurs very rarely but at random times under heavy networking load.
- Once the issue triggers the decryption side stops working completely
for that WireGuard peer, other peers keep working fine. The stall happens also for newly initiated connections towards that particular WireGuard peer.
- Only the decryption side is affected, never the encryption side.
- Once it triggers, it never recovers and remains in this state,
the CPU/mem on that node looks normal, no leak, busy loop or crash.
- bpftrace on the affected system shows that wg_prev_queue_enqueue
fails, thus the MAX_QUEUED_PACKETS (1024 skbs!) for the peer's rx_queue is reached.
- Also, bpftrace shows that wg_packet_rx_poll for that peer is never
called again after reaching this state for that peer. For other peers wg_packet_rx_poll does get called normally.
- Commit db9ae3b ("wireguard: device: enable threaded NAPI")
switched WireGuard to threaded NAPI by default. The default has not been changed for triggering the issue, neither did CPU hotplugging occur (i.e. 5bd8de2 ("wireguard: queueing: always return valid online CPU in wg_cpumask_choose_online()")).
- The issue has been observed with stable kernels of v5.15 as well as
v6.1. It was reported to us that v5.10 stable is working fine, and no report on v6.6 stable either (somewhat related discussion in [0] though).
- In the WireGuard driver the only material difference between v5.10
stable and v5.15 stable is the switch to threaded NAPI by default.
[0] https://lore.kernel.org/netdev/CA+wXwBTT74RErDGAnj98PqS=wvdh8eM1pi4q6tTdExtjnokKqA@mail.gmail.com/
Breakdown of the problem:
- skbs arriving for decryption are enqueued to the peer->rx_queue in
wg_packet_consume_data via wg_queue_enqueue_per_device_and_peer.
- The latter only moves the skb into the MPSC peer queue if it does
not surpass MAX_QUEUED_PACKETS (1024) which is kept track in an atomic counter via wg_prev_queue_enqueue.
- In case enqueueing was successful, the skb is also queued up
in the device queue, round-robin picks a next online CPU, and schedules the decryption worker.
- The wg_packet_decrypt_worker, once scheduled, picks these up
from the queue, decrypts the packets and once done calls into wg_queue_enqueue_per_peer_rx.
- The latter updates the state to PACKET_STATE_CRYPTED on success
and calls napi_schedule on the per peer->napi instance.
- NAPI then polls via wg_packet_rx_poll. wg_prev_queue_peek checks
on the peer->rx_queue. It will wg_prev_queue_dequeue if the queue->peeked skb was not cached yet, or just return the latter otherwise. (wg_prev_queue_drop_peeked later clears the cache.)
- From an ordering perspective, the peer->rx_queue has skbs in order
while the device queue with the per-CPU worker threads from a global ordering PoV can finish the decryption and signal the skb PACKET_STATE_CRYPTED out of order.
- A situation can be observed that the first packet coming in will
be stuck waiting for the decryption worker to be scheduled for a longer time when the system is under pressure.
- While this is the case, the other CPUs in the meantime finish
decryption and call into napi_schedule.
- Now in wg_packet_rx_poll it picks up the first in-order skb
from the peer->rx_queue and sees that its state is still PACKET_STATE_UNCRYPTED. The NAPI poll routine then exits e ---truncated---
AnalysisAI
Denial of service in the Linux kernel's WireGuard module causes the receive/decryption path to permanently stall for an individual peer under heavy network load. Affected stable trees (notably 6.12.34 through 6.12.73, with the same defect originating in 5.15/6.1 where threaded NAPI became default) can have inbound traffic to a specific WireGuard peer halt completely once the per-peer rx_queue fills its 1024-packet backlog and wg_packet_rx_poll is never rescheduled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the in-kernel WireGuard driver running with threaded NAPI enabled - the default on affected 5.15/6.1/6.12 stable kernels after commit db9ae3b - and sustained heavy receive-side networking load across multiple CPUs, which is what races the per-CPU decrypt workers against the in-order per-peer rx_queue. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent in pointing to a real but low-urgency availability bug rather than an attacker-driven weapon. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | Under sustained heavy encrypted traffic between Kubernetes nodes (e.g. Cilium using WireGuard), a decrypt worker for the first in-order packet is delayed while later packets finish out of order, leaving wg_packet_rx_poll wedged and the peer's 1024-slot rx_queue fully backed up. … |
| Remediation | Apply the vendor stable-kernel update that contains the revert: upgrade to Linux 6.12.74 or later in the 6.12 series (fixing commit e94b369ff82f9bc84f090f271bd78f41c9f6ab2f), or the equivalent patched build for your 5.15/6.1 stable branch once your distribution ships it; this is Vendor-released patch: Linux 6.12.74 (and corresponding stable backports). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify infrastructure running affected Linux kernel versions with WireGuard enabled, particularly Cilium-based Kubernetes clusters. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38813
GHSA-rh26-99wm-wg2w