{"api_version":"1","generated_at":"2026-04-25T10:16:04+00:00","cve":"CVE-2026-31579","urls":{"html":"https://cve.report/CVE-2026-31579","api":"https://cve.report/api/cve/CVE-2026-31579.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31579","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31579"},"summary":{"title":"wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit\n\nwg_netns_pre_exit() manually acquires rtnl_lock() inside the\npernet .pre_exit callback.  This causes a hung task when another\nthread holds rtnl_mutex - the cleanup_net workqueue (or the\nsetup_net failure rollback path) blocks indefinitely in\nwg_netns_pre_exit() waiting to acquire the lock.\n\nConvert to .exit_rtnl, introduced in commit 7a60d91c690b (\"net:\nAdd ->exit_rtnl() hook to struct pernet_operations.\"), where the\nframework already holds RTNL and batches all callbacks under a\nsingle rtnl_lock()/rtnl_unlock() pair, eliminating the contention\nwindow.\n\nThe rcu_assign_pointer(wg->creating_net, NULL) is safe to move\nfrom .pre_exit to .exit_rtnl (which runs after synchronize_rcu())\nbecause all RCU readers of creating_net either use maybe_get_net()\n- which returns NULL for a dying namespace with zero refcount - or\naccess net->user_ns which remains valid throughout the entire\nops_undo_list sequence.\n\n[ Jason: added __net_exit and __read_mostly annotations that were missing. ]","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-24 15:16:32","updated_at":"2026-04-24 17:51:40"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/1c52ef00e391144334f10995985c2f256d4be982","name":"https://git.kernel.org/stable/c/1c52ef00e391144334f10995985c2f256d4be982","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a1d0f6cbb962af29586e3e65a4bced1a5e39221f","name":"https://git.kernel.org/stable/c/a1d0f6cbb962af29586e3e65a4bced1a5e39221f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9a9e69155b2091b8297afaf1533b8d68a3096841","name":"https://git.kernel.org/stable/c/9a9e69155b2091b8297afaf1533b8d68a3096841","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31579","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31579","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 9a9e69155b2091b8297afaf1533b8d68a3096841 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 1c52ef00e391144334f10995985c2f256d4be982 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 a1d0f6cbb962af29586e3e65a4bced1a5e39221f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.24 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.14 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.1 7.0.* semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/wireguard/device.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"9a9e69155b2091b8297afaf1533b8d68a3096841","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"1c52ef00e391144334f10995985c2f256d4be982","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"},{"lessThan":"a1d0f6cbb962af29586e3e65a4bced1a5e39221f","status":"affected","version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/net/wireguard/device.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.24","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.14","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.1","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.24","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.1","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit\n\nwg_netns_pre_exit() manually acquires rtnl_lock() inside the\npernet .pre_exit callback.  This causes a hung task when another\nthread holds rtnl_mutex - the cleanup_net workqueue (or the\nsetup_net failure rollback path) blocks indefinitely in\nwg_netns_pre_exit() waiting to acquire the lock.\n\nConvert to .exit_rtnl, introduced in commit 7a60d91c690b (\"net:\nAdd ->exit_rtnl() hook to struct pernet_operations.\"), where the\nframework already holds RTNL and batches all callbacks under a\nsingle rtnl_lock()/rtnl_unlock() pair, eliminating the contention\nwindow.\n\nThe rcu_assign_pointer(wg->creating_net, NULL) is safe to move\nfrom .pre_exit to .exit_rtnl (which runs after synchronize_rcu())\nbecause all RCU readers of creating_net either use maybe_get_net()\n- which returns NULL for a dying namespace with zero refcount - or\naccess net->user_ns which remains valid throughout the entire\nops_undo_list sequence.\n\n[ Jason: added __net_exit and __read_mostly annotations that were missing. ]"}],"providerMetadata":{"dateUpdated":"2026-04-24T14:42:10.208Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/9a9e69155b2091b8297afaf1533b8d68a3096841"},{"url":"https://git.kernel.org/stable/c/1c52ef00e391144334f10995985c2f256d4be982"},{"url":"https://git.kernel.org/stable/c/a1d0f6cbb962af29586e3e65a4bced1a5e39221f"}],"title":"wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31579","datePublished":"2026-04-24T14:42:10.208Z","dateReserved":"2026-03-09T15:48:24.119Z","dateUpdated":"2026-04-24T14:42:10.208Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-24 15:16:32","lastModifiedDate":"2026-04-24 17:51:40","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31579","Ordinal":"1","Title":"wireguard: device: use exit_rtnl callback instead of manual rtnl","CVE":"CVE-2026-31579","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31579","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit\n\nwg_netns_pre_exit() manually acquires rtnl_lock() inside the\npernet .pre_exit callback.  This causes a hung task when another\nthread holds rtnl_mutex - the cleanup_net workqueue (or the\nsetup_net failure rollback path) blocks indefinitely in\nwg_netns_pre_exit() waiting to acquire the lock.\n\nConvert to .exit_rtnl, introduced in commit 7a60d91c690b (\"net:\nAdd ->exit_rtnl() hook to struct pernet_operations.\"), where the\nframework already holds RTNL and batches all callbacks under a\nsingle rtnl_lock()/rtnl_unlock() pair, eliminating the contention\nwindow.\n\nThe rcu_assign_pointer(wg->creating_net, NULL) is safe to move\nfrom .pre_exit to .exit_rtnl (which runs after synchronize_rcu())\nbecause all RCU readers of creating_net either use maybe_get_net()\n- which returns NULL for a dying namespace with zero refcount - or\naccess net->user_ns which remains valid throughout the entire\nops_undo_list sequence.\n\n[ Jason: added __net_exit and __read_mostly annotations that were missing. ]","Type":"Description","Title":"wireguard: device: use exit_rtnl callback instead of manual rtnl"}]}}}