CVE-2026-52945
Received Received - Intake
WireGuard Kernel Threaded NAPI Decryption Stall Issue

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Revert "wireguard: device: enable threaded NAPI" This reverts commit 933466fc50a8e4eb167acbd0d8ec96a078462e9c which is commit db9ae3b6b43c79b1ba87eea849fd65efa05b4b2e upstream. We have had three independent production user reports in combination with Cilium utilizing WireGuard as encryption underneath that k8s Pod E/W traffic to certain peer nodes fully stalled. The situation appears as follows: - Occurs very rarely but at random times under heavy networking load. - Once the issue triggers the decryption side stops working completely for that WireGuard peer, other peers keep working fine. The stall happens also for newly initiated connections towards that particular WireGuard peer. - Only the decryption side is affected, never the encryption side. - Once it triggers, it never recovers and remains in this state, the CPU/mem on that node looks normal, no leak, busy loop or crash. - bpftrace on the affected system shows that wg_prev_queue_enqueue fails, thus the MAX_QUEUED_PACKETS (1024 skbs!) for the peer's rx_queue is reached. - Also, bpftrace shows that wg_packet_rx_poll for that peer is never called again after reaching this state for that peer. For other peers wg_packet_rx_poll does get called normally. - Commit db9ae3b ("wireguard: device: enable threaded NAPI") switched WireGuard to threaded NAPI by default. The default has not been changed for triggering the issue, neither did CPU hotplugging occur (i.e. 5bd8de2 ("wireguard: queueing: always return valid online CPU in wg_cpumask_choose_online()")). - The issue has been observed with stable kernels of v5.15 as well as v6.1. It was reported to us that v5.10 stable is working fine, and no report on v6.6 stable either (somewhat related discussion in [0] though). - In the WireGuard driver the only material difference between v5.10 stable and v5.15 stable is the switch to threaded NAPI by default. [0] https://lore.kernel.org/netdev/CA+wXwBTT74RErDGAnj98PqS=wvdh8eM1pi4q6tTdExtjnokKqA@mail.gmail.com/ Breakdown of the problem: 1) skbs arriving for decryption are enqueued to the peer->rx_queue in wg_packet_consume_data via wg_queue_enqueue_per_device_and_peer. 2) The latter only moves the skb into the MPSC peer queue if it does not surpass MAX_QUEUED_PACKETS (1024) which is kept track in an atomic counter via wg_prev_queue_enqueue. 3) In case enqueueing was successful, the skb is also queued up in the device queue, round-robin picks a next online CPU, and schedules the decryption worker. 4) The wg_packet_decrypt_worker, once scheduled, picks these up from the queue, decrypts the packets and once done calls into wg_queue_enqueue_per_peer_rx. 5) The latter updates the state to PACKET_STATE_CRYPTED on success and calls napi_schedule on the per peer->napi instance. 6) NAPI then polls via wg_packet_rx_poll. wg_prev_queue_peek checks on the peer->rx_queue. It will wg_prev_queue_dequeue if the queue->peeked skb was not cached yet, or just return the latter otherwise. (wg_prev_queue_drop_peeked later clears the cache.) 7) From an ordering perspective, the peer->rx_queue has skbs in order while the device queue with the per-CPU worker threads from a global ordering PoV can finish the decryption and signal the skb PACKET_STATE_CRYPTED out of order. 8) A situation can be observed that the first packet coming in will be stuck waiting for the decryption worker to be scheduled for a longer time when the system is under pressure. 9) While this is the case, the other CPUs in the meantime finish decryption and call into napi_schedule. 10) Now in wg_packet_rx_poll it picks up the first in-order skb from the peer->rx_queue and sees that its state is still PACKET_STATE_UNCRYPTED. The NAPI poll routine then exits e ---truncated---
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52945
EUVD
EUVD-2026-38813
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wireguard wireguard From 5.15 (inc) to 6.1 (exc)
wireguard wireguard From 5.10 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel relates to WireGuard's switch to threaded NAPI for packet processing. Under heavy network load, the decryption side for a specific WireGuard peer can stall completely and stop working, while encryption and other peers remain unaffected. This happens because the receive queue for that peer reaches its maximum capacity (1024 packets), causing new packets to be dropped and the decryption worker to never be scheduled again for that peer. As a result, the decryption process for that peer halts indefinitely, causing traffic to that peer to stall.

The issue is triggered rarely and randomly under heavy load, and once it occurs, it does not recover without intervention. It was introduced by a commit that enabled threaded NAPI by default in WireGuard and affects stable kernel versions 5.15 and 6.1, but not 5.10 or 6.6.

Impact Analysis

This vulnerability can cause network traffic to certain WireGuard peers to stall completely on the decryption side, leading to a loss of connectivity or communication with those peers. This can disrupt services relying on WireGuard VPN tunnels, especially in Kubernetes environments using Cilium with WireGuard encryption.

Since the decryption stops working and does not recover, affected connections to the peer will fail, potentially causing downtime or degraded network performance for applications depending on those connections.

Detection Guidance

This vulnerability can be detected by observing the behavior of WireGuard peers under heavy networking load, specifically looking for stalls in decryption for certain peers while other peers continue to function normally.

A key indicator is that the decryption side stops working completely for a WireGuard peer and never recovers, with no CPU or memory leaks or crashes.

Using bpftrace on the affected system can help detect the issue by showing that wg_prev_queue_enqueue fails because the MAX_QUEUED_PACKETS (1024 skbs) limit for the peer's rx_queue is reached.

Additionally, bpftrace can show that wg_packet_rx_poll for the affected peer is never called again after reaching this state, while it continues normally for other peers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52945. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart