Description
In the Linux kernel, the following vulnerability has been resolved:

wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit

wg_netns_pre_exit() manually acquires rtnl_lock() inside the
pernet .pre_exit callback. This causes a hung task when another
thread holds rtnl_mutex - the cleanup_net workqueue (or the
setup_net failure rollback path) blocks indefinitely in
wg_netns_pre_exit() waiting to acquire the lock.

Convert to .exit_rtnl, introduced in commit 7a60d91c690b ("net:
Add ->exit_rtnl() hook to struct pernet_operations."), where the
framework already holds RTNL and batches all callbacks under a
single rtnl_lock()/rtnl_unlock() pair, eliminating the contention
window.

The rcu_assign_pointer(wg->creating_net, NULL) is safe to move
from .pre_exit to .exit_rtnl (which runs after synchronize_rcu())
because all RCU readers of creating_net either use maybe_get_net()
- which returns NULL for a dying namespace with zero refcount - or
access net->user_ns which remains valid throughout the entire
ops_undo_list sequence.

[ Jason: added __net_exit and __read_mostly annotations that were missing. ]
Published: 2026-04-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (service hang)
Action: Apply Patch
AI Analysis

Impact

The bug in the Linux kernel's WireGuard network namespace cleanup path introduces a deadlock by manually acquiring the rtnl_lock during the .pre_exit callback. This locking strategy causes any thread holding the rtnl_mutex—such as the cleanup_net workqueue or rollback paths—to block indefinitely, leading to a hung task. The result is a denial-of-service condition that can stall kernel operations within the affected namespace, potentially affecting system responsiveness or availability.

Affected Systems

The vulnerability applies to the Linux kernel, affecting all distributions that ship the kernel code unchanged and lack the patch that replaces the manual rtnl_lock with the .exit_rtnl hook introduced in commit 7a60d91c690b. Vendor and product names are simply Linux: Linux. No specific affected kernel versions are listed in the CNA data; the issue exists in any kernel build containing the unpatched pernet .pre_exit implementation.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity, and the EPSS score of less than 1% suggests a low but nonzero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to trigger the namespace exit sequence while another process holds the rtnl_mutex, which generally requires local privileged (root) access or the ability to create and delete network namespaces. The fix relies on a standard kernel update that removes the manual lock and uses the framework‑provided .exit_rtnl hook, eliminating the contention window.

Generated by OpenCVE AI on April 28, 2026 at 20:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch fixing the WireGuard namespace cleanup deadlock (the commit that replaces manual rtnl_lock with .exit_rtnl).
  • Reboot or reload the kernel to activate the updated code.
  • Restrict the creation and deletion of network namespaces to trusted users or administrative accounts to reduce the attack surface until the kernel update can be applied.

Generated by OpenCVE AI on April 28, 2026 at 20:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-833
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit wg_netns_pre_exit() manually acquires rtnl_lock() inside the pernet .pre_exit callback. This causes a hung task when another thread holds rtnl_mutex - the cleanup_net workqueue (or the setup_net failure rollback path) blocks indefinitely in wg_netns_pre_exit() waiting to acquire the lock. Convert to .exit_rtnl, introduced in commit 7a60d91c690b ("net: Add ->exit_rtnl() hook to struct pernet_operations."), where the framework already holds RTNL and batches all callbacks under a single rtnl_lock()/rtnl_unlock() pair, eliminating the contention window. The rcu_assign_pointer(wg->creating_net, NULL) is safe to move from .pre_exit to .exit_rtnl (which runs after synchronize_rcu()) because all RCU readers of creating_net either use maybe_get_net() - which returns NULL for a dying namespace with zero refcount - or access net->user_ns which remains valid throughout the entire ops_undo_list sequence. [ Jason: added __net_exit and __read_mostly annotations that were missing. ]
Title wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:11:31.251Z

Reserved: 2026-03-09T15:48:24.119Z

Link: CVE-2026-31579

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:32.587

Modified: 2026-04-27T20:43:29.070

Link: CVE-2026-31579

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31579 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:30:06Z

Weaknesses