Description
In the Linux kernel, the following vulnerability has been resolved:

igb: remove napi_synchronize() in igb_down()

When an AF_XDP zero-copy application terminates abruptly (e.g., kill -9),
the XSK buffer pool is destroyed but NAPI polling continues.
igb_clean_rx_irq_zc() repeatedly returns the full budget, preventing
napi_complete_done() from clearing NAPI_STATE_SCHED.

igb_down() calls napi_synchronize() before napi_disable() for each queue
vector. napi_synchronize() spins waiting for NAPI_STATE_SCHED to clear,
which never happens. igb_down() blocks indefinitely, the TX watchdog
fires, and the TX queue remains permanently stalled.

napi_disable() already handles this correctly: it sets NAPI_STATE_DISABLE.
After a full-budget poll, __napi_poll() checks napi_disable_pending(). If
set, it forces completion and clears NAPI_STATE_SCHED, breaking the loop
that napi_synchronize() cannot.

napi_synchronize() was added in commit 41f149a285da ("igb: Fix possible
panic caused by Rx traffic arrival while interface is down").
napi_disable() provides stronger guarantees: it prevents further
scheduling and waits for any active poll to exit.
Other Intel drivers (ixgbe, ice, i40e) use napi_disable() without a
preceding napi_synchronize() in their down paths.

Remove redundant napi_synchronize() call and reorder napi_disable()
before igb_set_queue_napi() so the queue-to-NAPI mapping is only
cleared after polling has fully stopped.
Published: 2026-04-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from removing the napi_synchronize() call in the igb driver’s down routine without properly sequencing NAPI disable and queue removal. When an AF_XDP zero‑copy application is killed abruptly, the XSK buffer pool is released while NAPI polling continues. Because the driver never clears the NAPI_STATE_SCHED flag, igb_down blocks indefinitely and the TX watchdog triggers, leaving the network transmit queue permanently stalled. This results in a denial of service on the affected network interface.

Affected Systems

All Linux kernels that ship the igb network driver are affected. The fix has been incorporated into recent stable releases; until the patch is applied, any distribution using a version of the kernel that still contains the old down path is vulnerable. No specific version numbers are listed, so systems should verify whether they contain commit 27f5997686ee7fb7ac01be72b2010f168a3409fc or later.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity. Because exploitation requires a local user to bring down the interface by abruptly terminating an AF_XDP application, the attack vector is local and contingent on sufficient privileges. The EPSS score is < 1%, indicating a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers with local access can use the described sequence to cause a service interruption; remote exploitation is not indicated.

Generated by OpenCVE AI on May 7, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that reorders napi_disable and removes the redundant napi_synchronize() call; this fixes the scheduling issue identified by CWE‑833.
  • As a temporary workaround, unload and reload the igb driver (or reboot) to clear the blocked NAPI state and release the stuck TX queue, mitigating the denial‑of‑service condition.
  • Ensure AF_XDP zero‑copy applications shut down gracefully; avoid sending SIGKILL to prevent the driver from entering the stalled state.

Generated by OpenCVE AI on May 7, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Tue, 28 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-833
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 27 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: igb: remove napi_synchronize() in igb_down() When an AF_XDP zero-copy application terminates abruptly (e.g., kill -9), the XSK buffer pool is destroyed but NAPI polling continues. igb_clean_rx_irq_zc() repeatedly returns the full budget, preventing napi_complete_done() from clearing NAPI_STATE_SCHED. igb_down() calls napi_synchronize() before napi_disable() for each queue vector. napi_synchronize() spins waiting for NAPI_STATE_SCHED to clear, which never happens. igb_down() blocks indefinitely, the TX watchdog fires, and the TX queue remains permanently stalled. napi_disable() already handles this correctly: it sets NAPI_STATE_DISABLE. After a full-budget poll, __napi_poll() checks napi_disable_pending(). If set, it forces completion and clears NAPI_STATE_SCHED, breaking the loop that napi_synchronize() cannot. napi_synchronize() was added in commit 41f149a285da ("igb: Fix possible panic caused by Rx traffic arrival while interface is down"). napi_disable() provides stronger guarantees: it prevents further scheduling and waits for any active poll to exit. Other Intel drivers (ixgbe, ice, i40e) use napi_disable() without a preceding napi_synchronize() in their down paths. Remove redundant napi_synchronize() call and reorder napi_disable() before igb_set_queue_napi() so the queue-to-NAPI mapping is only cleared after polling has fully stopped.
Title igb: remove napi_synchronize() in igb_down()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:48.573Z

Reserved: 2026-03-09T15:48:24.131Z

Link: CVE-2026-31691

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T18:16:54.610

Modified: 2026-05-06T20:49:04.757

Link: CVE-2026-31691

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-27T00:00:00Z

Links: CVE-2026-31691 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T00:30:12Z

Weaknesses