Impact
The vulnerability resides in the Linux kernel’s WireGuard decryption driver. When WireGuard is built with threaded NAPI enabled by default, the decryption worker may become permanently stalled for a particular peer under heavy network load. This stall occurs after the peer’s receive queue reaches its maximum of 1024 skbs, causing the decryption side to cease processing further packets for that peer while other peers continue normally. Although the kernel remains operational, the affected peer experiences persistent packet loss, effectively denying service for that connection without producing a crash or system-wide crash-loop.
Affected Systems
Linux kernel versions 5.15 stable and 6.1 stable are affected when the commit that enables threaded NAPI by default is present. The issue is not observed in 5.10 stable or 6.6 stable, indicating the regression is tied to the threaded NAPI change. Any system running a kernel with threaded NAPI enabled for WireGuard and handling pod‑to‑pod or inter‑node traffic is potentially impacted.
Risk and Exploitability
The CVSS score of 7.5 indicates high severity, while the reported EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The likely attack vector requires an adversary to generate high‑volume WireGuard traffic directed at a specific peer to trigger the stall; this inference is based on the description that the issue occurs rarely under heavy networking load. The vulnerability is not listed in the CISA KEV catalog. Because the stall is limited to the decryption path of WireGuard and does not affect encryption, system stability, or other networking components, the overall risk is confined to disrupted peer communication rather than a full system compromise.
OpenCVE Enrichment