CVE-2026-31691
Deadlock Vulnerability in Linux igb Driver Causing TX Queue Stall
Publication date: 2026-04-27
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.19 (inc) to 6.19.13 (exc) |
| linux | linux_kernel | From 6.14 (inc) to 6.18.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's igb driver related to network interface handling. When an AF_XDP zero-copy application terminates abruptly (for example, using kill -9), the XSK buffer pool is destroyed but NAPI polling continues. The function igb_clean_rx_irq_zc() repeatedly returns the full budget, preventing napi_complete_done() from clearing the NAPI_STATE_SCHED state.
The igb_down() function calls napi_synchronize() before napi_disable() for each queue vector. However, napi_synchronize() waits indefinitely for NAPI_STATE_SCHED to clear, which never happens in this scenario, causing igb_down() to block indefinitely. This leads to the TX watchdog firing and the TX queue becoming permanently stalled.
The fix involves removing the redundant napi_synchronize() call and reordering the calls so that napi_disable() is called before clearing the queue-to-NAPI mapping. This ensures polling fully stops before the mapping is cleared, preventing the indefinite blocking.
How can this vulnerability impact me? :
This vulnerability can cause the network interface's transmit (TX) queue to become permanently stalled. Specifically, when an AF_XDP zero-copy application terminates abruptly, the network driver can block indefinitely during shutdown, triggering the TX watchdog and preventing the TX queue from functioning.
As a result, network traffic transmission through the affected interface can be disrupted, leading to potential network outages or degraded network performance on systems using the affected igb driver.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is caused by the igb driver calling napi_synchronize() before napi_disable(), which can cause the igb_down() function to block indefinitely and stall the TX queue.
To mitigate this issue, the fix involves removing the redundant napi_synchronize() call and reordering the calls so that napi_disable() is called before clearing the queue-to-NAPI mapping. This ensures that polling is fully stopped before the mapping is cleared, preventing the indefinite blocking.
Therefore, the immediate step is to update the Linux kernel to a version that includes this fix, which removes the napi_synchronize() call in igb_down() and properly orders napi_disable() before igb_set_queue_napi().