CVE-2026-31691
Awaiting Analysis Awaiting Analysis - Queue
Deadlock Vulnerability in Linux igb Driver Causing TX Queue Stall

Publication date: 2026-04-27

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: igb: remove napi_synchronize() in igb_down() When an AF_XDP zero-copy application terminates abruptly (e.g., kill -9), the XSK buffer pool is destroyed but NAPI polling continues. igb_clean_rx_irq_zc() repeatedly returns the full budget, preventing napi_complete_done() from clearing NAPI_STATE_SCHED. igb_down() calls napi_synchronize() before napi_disable() for each queue vector. napi_synchronize() spins waiting for NAPI_STATE_SCHED to clear, which never happens. igb_down() blocks indefinitely, the TX watchdog fires, and the TX queue remains permanently stalled. napi_disable() already handles this correctly: it sets NAPI_STATE_DISABLE. After a full-budget poll, __napi_poll() checks napi_disable_pending(). If set, it forces completion and clears NAPI_STATE_SCHED, breaking the loop that napi_synchronize() cannot. napi_synchronize() was added in commit 41f149a285da ("igb: Fix possible panic caused by Rx traffic arrival while interface is down"). napi_disable() provides stronger guarantees: it prevents further scheduling and waits for any active poll to exit. Other Intel drivers (ixgbe, ice, i40e) use napi_disable() without a preceding napi_synchronize() in their down paths. Remove redundant napi_synchronize() call and reorder napi_disable() before igb_set_queue_napi() so the queue-to-NAPI mapping is only cleared after polling has fully stopped.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31691
EUVD
EUVD-2026-25888
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.13 (exc)
linux linux_kernel From 6.14 (inc) to 6.18.23 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel's igb driver related to network interface handling. When an AF_XDP zero-copy application terminates abruptly (for example, using kill -9), the XSK buffer pool is destroyed but NAPI polling continues. The function igb_clean_rx_irq_zc() repeatedly returns the full budget, preventing napi_complete_done() from clearing the NAPI_STATE_SCHED state.

The igb_down() function calls napi_synchronize() before napi_disable() for each queue vector. However, napi_synchronize() waits indefinitely for NAPI_STATE_SCHED to clear, which never happens in this scenario, causing igb_down() to block indefinitely. This leads to the TX watchdog firing and the TX queue becoming permanently stalled.

The fix involves removing the redundant napi_synchronize() call and reordering the calls so that napi_disable() is called before clearing the queue-to-NAPI mapping. This ensures polling fully stops before the mapping is cleared, preventing the indefinite blocking.

Impact Analysis

This vulnerability can cause the network interface's transmit (TX) queue to become permanently stalled. Specifically, when an AF_XDP zero-copy application terminates abruptly, the network driver can block indefinitely during shutdown, triggering the TX watchdog and preventing the TX queue from functioning.

As a result, network traffic transmission through the affected interface can be disrupted, leading to potential network outages or degraded network performance on systems using the affected igb driver.

Mitigation Strategies

The vulnerability is caused by the igb driver calling napi_synchronize() before napi_disable(), which can cause the igb_down() function to block indefinitely and stall the TX queue.

To mitigate this issue, the fix involves removing the redundant napi_synchronize() call and reordering the calls so that napi_disable() is called before clearing the queue-to-NAPI mapping. This ensures that polling is fully stopped before the mapping is cleared, preventing the indefinite blocking.

Therefore, the immediate step is to update the Linux kernel to a version that includes this fix, which removes the napi_synchronize() call in igb_down() and properly orders napi_disable() before igb_set_queue_napi().

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31691. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart